Sender-email does not match mail attribute in LDAP for a given user.
search cancel

Sender-email does not match mail attribute in LDAP for a given user.

book

Article ID: 169554

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Attributes are defined in LDAP for a given user that changes their "send as" email address.

Custom Attributes do not populate.

Cause

Because the sender email is not the same as the value of the mail attribute for the user, the default LDAP lookups will not work out-of-the-box.

Resolution

The Administration Guide for DLP specifies the following string as an example for an LDAP lookup string:

attr.CustomAttributeName = search_base:(search_filter=$variable$):ldapAttribute

For additional context, here are the ownership qualities for each section of that string:
 

attr.CustomAttributeName This is a DLP attribute
search_base This is an LDAP value*
search_filter= This is an LDAP value
$variable$ This is a DLP variable
ldapAttribute This is an LDAP value

*This value, if entered will be appended to the search base defined in the directory connection

Furthermore, the Administration Guide states,  “In cases where multiple plug-ins are chained together, the parameter might be a variable that is passed to the LDAP Lookup Plug-In by a previous plug-in.” 

To implement an LDAP Lookup Plug-In

  1. Create the following custom attributes at System > Attributes > Custom Attributes:

UserEmail

  1. Create a directory connection for the Active Directory server at System > Settings > Directory Connections.
  2. Test the connection. The system indicates if the connection is successful.
  3. Create a new LDAP plug-in at System > Lookup Plugins > New Plugin > LDAP.

Name: LDAP Lookup Plug-in 0
Description: Description for the LDAP Plug-in.

  1. Select the directory connection created in Step 2.
  2. Map the attributes to LDAP metadata.
attr.UserEmail=:(targetAddress=$sender-email$):mail
  1. Save the plug-in. Verify that the correct save message for the plug-in is displayed.
  2. Enable the following keys at the System > Lookup Plugins > Lookup Parameters page.
    • Incident
    • Message
    • Sender
  3. Create an incident that generates one of the lookup parameters. For example, an email incident exposes the sender-email attribute. There must be some corresponding information in the Active Directory server.
  4. Open the Incident Snapshot for the incident.
  5. Click the Lookup button and verify the custom attributes created in the Step 1 are populated in the right panel.

 
The end result will be a new custom attribute, located on the right hand side of the incident snapshot, where the sender address == UserEmail.
Example:


attr.UserEmail=cn=users:(targetAddress=$sender-email$):mail
attr.First\ Name=:(mail=$UserEmail$):givenName
attr.Last\ Name=:(mail=$UserEmail$):sn

 

NOTE: In cases where the sender-email is not contained in the incident eg. Endpoint incidents not from the Outlook channel, you can use the mapping below:

attr.UserEmail=:(sAMAccountName=$endpoint-user-name$):mail
attr.First\ Name=:(mail=$UserEmail$):givenName
attr.Last\ Name=:(mail=$UserEmail$):sn