BMC Defender LDAP Tool Kit

This section provides a detailed description of BMC Defender LDAP Interface Software (also known as the BMC Defender LDAP Tool Kit). This is an optional set of files and executables added to the BMC Defender Server that allows you to interact with user-defined data acquired directly from an LDAP server, including Microsoft Windows Active Directory.

The section provides information on specific features and capabilities of the software, including installation procedures, operating theory, application notes, and certain features not documented elsewhere.

LDAP software can get installed at any BMC Defender. The software is not required by BMC Defender to manage users, nor does it necessarily provide additional correlation functions within the program. LDAP software provides utility in looking at external user data with application in forensics and provides a convenient way of reading detailed user information that might be present in external data stores.

This section is for BMC Defender users who are operating the system, as well as system administrators responsible for installing the software components. This information might also be of interest to program developers and administrators.

Overview of operation

LDAP interface software more tightly integrates the BMC Defender Server with an LDAP or Active Directory server. The software affects several screens as follows:

System > Tools > Auto Update > LDAP screen— The software adds a new LDAP tab to the System > Tools screen, allowing the manager to configure the LDAP acquisition process, schedule times to acquire LDAP data, and review the operation of the LDAP process.

User Info screen — The software adds a new View LDAP Info link to User information screens (accessed by clicking on a user name hyperlink anywhere within BMC Defender). This allows a system manager to view the LDAP records associated with a managed user.

Messages > Users > Advanced screen— The software adds new capabilities to the Advanced screen of your monitor:
The operator can limit discovery to only those names recording in the LDAP or Active Directory data, and you can delete users that are not in the LDAP or Active Directory list.

LDAP basics

Lightweight Directory Access Protocol (LDAP) is an application protocol for reading and editing information over a TCP/IP network. This information calls as a directory, where the information organizes into records of items.

Specifically, the information accessed by LDAP consists of a tree of directory entries, where each entry consists of a set of attributes and values. Each attribute has a specific name and one or more values. The attributes are defined in a schema appropriate for the particular directory name and attribute.

Each entry has a unique identifier referred to as its Distinguished Name (abbreviated DN), that is similar to the full path name of a particular disk file. You can query the DN, or a range of DNs.

Due to the flexibility associated with LDAP, and its overall security (implemented via TLS), many organizations chose to keep user information in this type of directory. Microsoft Active Directory provides an extension to LDAP to authenticate users, hence providing a central mechanism for maintaining passwords, identifiers, and other items related to user logins.

Note

A full discussion of LDAP is beyond the scope of this section; LDAP is a well-documented protocol, and specifics related to all aspects of its use and operation are available from a variety of external sources.

LDIFDE.exe program

LDAP or Active Directory data is acquired using built-in libraries and installation of the LDIFDE program is not strictly required to use the LDAP interface.

However, the ldifde.exe program, that is a standard Windows utility available on Windows 2008 and other systems, can be substituted for the internal libraries, as might be necessary in some customized installations. This Windows utility program is executed by the installationDirectory\net-user\gen-ldap.bat file (launched via the GenLDAP.exe program). Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.

If necessary, an administrator might edit the gen-ldap.bat file to provide special directives or other logic needed to support the site. When the gen-ldap.bat file executes, the resulting raw LDIF list must be placed by the batch file in the location specified by the %LDAP_OUTPUT_FILE% environmental variable. When the batch file exits, the GenLDAP.exe program resumes its background execution and formats data into the expected and required files for the system.

Document the ldifde.exe program on the web. Additionally, the operator can execute ldifde.exe /? for brief help on the various options available for configuration.

Note

The gen-ldap.bat file, as described, normally does not require any changes or modifications if the BMC Defender Server domain joins to the domain of the organization.

GenLDAP batch file environmental variables

When the gen-ldap.bat file (residing in the net-users folder of the server installation) is executed, the batch file can access various environmental variables. This furnishes flexibility that might be necessary to add extra functionality or accommodate special conditions.

Environmental variables and values, instantiated prior to the system launch of the gen-ldap.bat file, are documented follows.

%LDAP_CMD%—This environmental variable is the pathname to the external command that actually gathers the LDAP information. This normally points to an external executable or DLL. The environmental variable can replace by the hardcoded path to ldifde.exe on the system or some equivalent value.
Note
%LDAP_CMD% can change between server software versions.

%LDAP_OUTPUT%—This environmental variable is the pathname to a temporary output file that contains the LDAP output. This value is typically the path ../net-user/gen-ldap.dat_tmp, but the value can change between server software versions.

%LDAP_OPTIONS%—This environmental variable contains the name of the LDAP server (if configured and other than Default). The value uses as a command line argument to the %LDAP_CMD% value. (The value of the LDAP Server Name configures on the Edit screen for the adapter.)

%LDAP_METHOD%—This environmental variable reflects the settings configured on the LDAP Adapter Edit screen, after clicking the Special Auth Settings link. The value is whatever the operator has selected as the LDAP Auth Method on that screen.

%LDAP_USER%—This environmental variable reflects the settings configured on the LDAP Adapter Edit screen, after clicking the Special Auth Settings link. The value is whatever the operator has selected as the LDAP Auth User Name on that screen.

%LDAP_PASS%—This environmental variable reflects the settings configured on the LDAP Adapter Edit screen, after clicking the Special Auth Settings link. The value is whatever the operator has selected as the LDAP Auth Password on that screen.
Note
The password is encrypted on the disk, and is generally not retrievable via the Web interface
%LDAP_DOM%—This environmental variable reflects the settings configured on the LDAP Adapter Edit screen, after clicking the Special Auth Settings link. The value is whatever the operator has selected as the LDAP Auth Domain on that screen.

One application of the given variables is to construct a gen-ldap.bat file that gathers information from various domain controllers, such as to support an enterprise with more than one domain. An example of such a modification is furnished as follows. The administrator can copy and paste the info at the bottom into the gen-ldap.bat file, configure the domain names (replacing dname1 and dname2 as follows) to acquire data from two different domain controllers.