Data Loss Prevention

Greetings,

I've encountered an issue on multiple occasions in 11.5 where the LDAP lookup plugin does not return values for (sAMAccontName=$file-owner$) and (sAMAccontName=$endpoint-user-name$)) in the LiveLDAPlookup.properties file (yes, the plugin is enabled in plugins.properties). Basically, this translates to a lack of user data being populated when incidents come from Enforce and Discover.

I'm working on recreating this in a test environment now, but was wondering if anyone else had experienced this issue... or whether this is a known issue with the addition of these "sAMAccount" fields to 11.5. Can't find anything in the admin guide or the Lookup Plugin guide that mentions anything about setting this up specifically.

Thanks in advance,

Andrew

Another thing worth mentioning--- Endpoint incidents from SMTP seem to be populating from LDAP via the (mail=$sender-email$) field---- but for instance, an endpoint incident generated from a clipboard violation does not populate from the sAMAccount fields.

Hi ANaybor,

In general, Endpoint can not access LDAP Servers when setup when AD User Groups are used.
This is due to the way the AD User Group resolution is performed. The Endpoint does not use LDAP but the ADSI API to access the local AD resources.

In detail:

1.The current solution on the endpoint uses ADSI API to query the AD. The current support is only for MS Active Directory.
2.It supports querying of groups from AD for the specified user

PM-1430 has been filed for "LDAP support - Tivoli Directory Server for endpoint group based policies." , which essentially requests support for LDAP referencing on the Endpoint when AD User Groups is in use. There is currently no target version set. Please contact your Account Manager or PM for consideration. You can also contact support to see if a target version has been set.