Informatica® Dynamic Data Masking

9.9.1

Active Directory Accelerator

Guide
Informatica Dynamic Data Masking Active Directory Accelerator Guide
9.9.1
June 2019
© Copyright Informatica LLC 1993, 2019

This software and documentation contain proprietary information of Informatica LLC and are provided under a license agreement containing restrictions on use and
disclosure and are also protected by copyright law. Reverse engineering of the software is prohibited. No part of this document may be reproduced or transmitted in any
form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica LLC. This Software may be protected by U.S. and/or
international Patents and other Patents Pending.

Use, duplication, or disclosure of the Software by the U.S. Government is subject to the restrictions set forth in the applicable software license agreement and as
provided in DFARS 227.7202-1(a) and 227.7702-3(a) (1995), DFARS 252.227-7013©(1)(ii) (OCT 1988), FAR 12.212(a) (1995), FAR 52.227-19, or FAR 52.227-14 (ALT III),
as applicable.

The information in this product or documentation is subject to change without notice. If you find any problems in this product or documentation, please report them to
us in writing.

Informatica, Informatica Platform, Informatica Data Services, PowerCenter, PowerCenterRT, PowerCenter Connect, PowerCenter Data Analyzer, PowerExchange,
PowerMart, Metadata Manager, Informatica Data Quality, Informatica Data Explorer, Informatica B2B Data Transformation, Informatica B2B Data Exchange Informatica
On Demand, Informatica Identity Resolution, Informatica Application Information Lifecycle Management, Informatica Complex Event Processing, Ultra Messaging,
Informatica Master Data Management, and Live Data Map are trademarks or registered trademarks of Informatica LLC in the United States and in jurisdictions
throughout the world. All other company and product names may be trade names or trademarks of their respective owners.

Portions of this software and/or documentation are subject to copyright held by third parties, including without limitation: Copyright DataDirect Technologies. All rights
reserved. Copyright © Sun Microsystems. All rights reserved. Copyright © RSA Security Inc. All Rights Reserved. Copyright © Ordinal Technology Corp. All rights
reserved. Copyright © Aandacht c.v. All rights reserved. Copyright Genivia, Inc. All rights reserved. Copyright Isomorphic Software. All rights reserved. Copyright © Meta
Integration Technology, Inc. All rights reserved. Copyright © Intalio. All rights reserved. Copyright © Oracle. All rights reserved. Copyright © Adobe Systems Incorporated.
All rights reserved. Copyright © DataArt, Inc. All rights reserved. Copyright © ComponentSource. All rights reserved. Copyright © Microsoft Corporation. All rights
reserved. Copyright © Rogue Wave Software, Inc. All rights reserved. Copyright © Teradata Corporation. All rights reserved. Copyright © Yahoo! Inc. All rights reserved.
Copyright © Glyph & Cog, LLC. All rights reserved. Copyright © Thinkmap, Inc. All rights reserved. Copyright © Clearpace Software Limited. All rights reserved. Copyright
© Information Builders, Inc. All rights reserved. Copyright © OSS Nokalva, Inc. All rights reserved. Copyright Edifecs, Inc. All rights reserved. Copyright Cleo
Communications, Inc. All rights reserved. Copyright © International Organization for Standardization 1986. All rights reserved. Copyright © ej-technologies GmbH. All
rights reserved. Copyright © Jaspersoft Corporation. All rights reserved. Copyright © International Business Machines Corporation. All rights reserved. Copyright ©
yWorks GmbH. All rights reserved. Copyright © Lucent Technologies. All rights reserved. Copyright © University of Toronto. All rights reserved. Copyright © Daniel
Veillard. All rights reserved. Copyright © Unicode, Inc. Copyright IBM Corp. All rights reserved. Copyright © MicroQuill Software Publishing, Inc. All rights reserved.
Copyright © PassMark Software Pty Ltd. All rights reserved. Copyright © LogiXML, Inc. All rights reserved. Copyright © 2003-2010 Lorenzi Davide, All rights reserved.
Copyright © Red Hat, Inc. All rights reserved. Copyright © The Board of Trustees of the Leland Stanford Junior University. All rights reserved. Copyright © EMC
Corporation. All rights reserved. Copyright © Flexera Software. All rights reserved. Copyright © Jinfonet Software. All rights reserved. Copyright © Apple Inc. All rights
reserved. Copyright © Telerik Inc. All rights reserved. Copyright © BEA Systems. All rights reserved. Copyright © PDFlib GmbH. All rights reserved. Copyright ©
Orientation in Objects GmbH. All rights reserved. Copyright © Tanuki Software, Ltd. All rights reserved. Copyright © Ricebridge. All rights reserved. Copyright © Sencha,
Inc. All rights reserved. Copyright © Scalable Systems, Inc. All rights reserved. Copyright © jQWidgets. All rights reserved. Copyright © Tableau Software, Inc. All rights
reserved. Copyright© MaxMind, Inc. All Rights Reserved. Copyright © TMate Software s.r.o. All rights reserved. Copyright © MapR Technologies Inc. All rights reserved.
Copyright © Amazon Corporate LLC. All rights reserved. Copyright © Highsoft. All rights reserved. Copyright © Python Software Foundation. All rights reserved.
Copyright © BeOpen.com. All rights reserved. Copyright © CNRI. All rights reserved.

This product includes software developed by the Apache Software Foundation (http://www.apache.org/), and/or other software which is licensed under various
versions of the Apache License (the "License"). You may obtain a copy of these Licenses at http://www.apache.org/licenses/. Unless required by applicable law or
agreed to in writing, software distributed under these Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.

This product includes software which was developed by Mozilla (http://www.mozilla.org/), software copyright The JBoss Group, LLC, all rights reserved; software
copyright © 1999-2006 by Bruno Lowagie and Paulo Soares and other software which is licensed under various versions of the GNU Lesser General Public License
Agreement, which may be found at http:// www.gnu.org/licenses/lgpl.html. The materials are provided free of charge by Informatica, "as-is", without warranty of any
kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose.

The product includes ACE(TM) and TAO(TM) software copyrighted by Douglas C. Schmidt and his research group at Washington University, University of California,
Irvine, and Vanderbilt University, Copyright (©) 1993-2006, all rights reserved.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (copyright The OpenSSL Project. All Rights Reserved) and
redistribution of this software is subject to terms available at http://www.openssl.org and http://www.openssl.org/source/license.html.

This product includes Curl software which is Copyright 1996-2013, Daniel Stenberg, <daniel@haxx.se>. All Rights Reserved. Permissions and limitations regarding this
software are subject to terms available at http://curl.haxx.se/docs/copyright.html. Permission to use, copy, modify, and distribute this software for any purpose with or
without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

The product includes software copyright 2001-2005 (©) MetaStuff, Ltd. All Rights Reserved. Permissions and limitations regarding this software are subject to terms
available at http://www.dom4j.org/ license.html.

The product includes software copyright © 2004-2007, The Dojo Foundation. All Rights Reserved. Permissions and limitations regarding this software are subject to
terms available at http://dojotoolkit.org/license.

This product includes ICU software which is copyright International Business Machines Corporation and others. All rights reserved. Permissions and limitations
regarding this software are subject to terms available at http://source.icu-project.org/repos/icu/icu/trunk/license.html.

This product includes software copyright © 1996-2006 Per Bothner. All rights reserved. Your right to use such materials is set forth in the license which may be found at
http:// www.gnu.org/software/ kawa/Software-License.html.

This product includes OSSP UUID software which is Copyright © 2002 Ralf S. Engelschall, Copyright © 2002 The OSSP Project Copyright © 2002 Cable & Wireless
Deutschland. Permissions and limitations regarding this software are subject to terms available at http://www.opensource.org/licenses/mit-license.php.

This product includes software developed by Boost (http://www.boost.org/) or under the Boost software license. Permissions and limitations regarding this software
are subject to terms available at http:/ /www.boost.org/LICENSE_1_0.txt.

This product includes software copyright © 1997-2007 University of Cambridge. Permissions and limitations regarding this software are subject to terms available at
http:// www.pcre.org/license.txt.

This product includes software copyright © 2007 The Eclipse Foundation. All Rights Reserved. Permissions and limitations regarding this software are subject to terms
available at http:// www.eclipse.org/org/documents/epl-v10.php and at http://www.eclipse.org/org/documents/edl-v10.php.
This product includes software licensed under the terms at http://www.tcl.tk/software/tcltk/license.html, http://www.bosrup.com/web/overlib/?License, http://
www.stlport.org/doc/ license.html, http://asm.ow2.org/license.html, http://www.cryptix.org/LICENSE.TXT, http://hsqldb.org/web/hsqlLicense.html, http://
httpunit.sourceforge.net/doc/ license.html, http://jung.sourceforge.net/license.txt , http://www.gzip.org/zlib/zlib_license.html, http://www.openldap.org/software/
release/license.html, http://www.libssh2.org, http://slf4j.org/license.html, http://www.sente.ch/software/OpenSourceLicense.html, http://fusesource.com/downloads/
license-agreements/fuse-message-broker-v-5-3- license-agreement; http://antlr.org/license.html; http://aopalliance.sourceforge.net/; http://www.bouncycastle.org/
licence.html; http://www.jgraph.com/jgraphdownload.html; http://www.jcraft.com/jsch/LICENSE.txt; http://jotm.objectweb.org/bsd_license.html; . http://www.w3.org/
Consortium/Legal/2002/copyright-software-20021231; http://www.slf4j.org/license.html; http://nanoxml.sourceforge.net/orig/copyright.html; http://www.json.org/
license.html; http://forge.ow2.org/projects/javaservice/, http://www.postgresql.org/about/licence.html, http://www.sqlite.org/copyright.html, http://www.tcl.tk/
software/tcltk/license.html, http://www.jaxen.org/faq.html, http://www.jdom.org/docs/faq.html, http://www.slf4j.org/license.html; http://www.iodbc.org/dataspace/
iodbc/wiki/iODBC/License; http://www.keplerproject.org/md5/license.html; http://www.toedter.com/en/jcalendar/license.html; http://www.edankert.com/bounce/
index.html; http://www.net-snmp.org/about/license.html; http://www.openmdx.org/#FAQ; http://www.php.net/license/3_01.txt; http://srp.stanford.edu/license.txt;
http://www.schneier.com/blowfish.html; http://www.jmock.org/license.html; http://xsom.java.net; http://benalman.com/about/license/; https://github.com/CreateJS/
EaselJS/blob/master/src/easeljs/display/Bitmap.js; http://www.h2database.com/html/license.html#summary; http://jsoncpp.sourceforge.net/LICENSE; http://
jdbc.postgresql.org/license.html; http://protobuf.googlecode.com/svn/trunk/src/google/protobuf/descriptor.proto; https://github.com/rantav/hector/blob/master/
LICENSE; http://web.mit.edu/Kerberos/krb5-current/doc/mitK5license.html; http://jibx.sourceforge.net/jibx-license.html; https://github.com/lyokato/libgeohash/blob/
master/LICENSE; https://github.com/hjiang/jsonxx/blob/master/LICENSE; https://code.google.com/p/lz4/; https://github.com/jedisct1/libsodium/blob/master/
LICENSE; http://one-jar.sourceforge.net/index.php?page=documents&file=license; https://github.com/EsotericSoftware/kryo/blob/master/license.txt; http://www.scala-
lang.org/license.html; https://github.com/tinkerpop/blueprints/blob/master/LICENSE.txt; http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/
intro.html; https://aws.amazon.com/asl/; https://github.com/twbs/bootstrap/blob/master/LICENSE; https://sourceforge.net/p/xmlunit/code/HEAD/tree/trunk/
LICENSE.txt; https://github.com/documentcloud/underscore-contrib/blob/master/LICENSE, and https://github.com/apache/hbase/blob/master/LICENSE.txt.

This product includes software licensed under the Academic Free License (http://www.opensource.org/licenses/afl-3.0.php), the Common Development and
Distribution License (http://www.opensource.org/licenses/cddl1.php) the Common Public License (http://www.opensource.org/licenses/cpl1.0.php), the Sun Binary
Code License Agreement Supplemental License Terms, the BSD License (http:// www.opensource.org/licenses/bsd-license.php), the new BSD License (http://
opensource.org/licenses/BSD-3-Clause), the MIT License (http://www.opensource.org/licenses/mit-license.php), the Artistic License (http://www.opensource.org/
licenses/artistic-license-1.0) and the Initial Developer’s Public License Version 1.0 (http://www.firebirdsql.org/en/initial-developer-s-public-license-version-1-0/).

This product includes software copyright © 2003-2006 Joe WaInes, 2006-2007 XStream Committers. All rights reserved. Permissions and limitations regarding this
software are subject to terms available at http://xstream.codehaus.org/license.html. This product includes software developed by the Indiana University Extreme! Lab.
For further information please visit http://www.extreme.indiana.edu/.

This product includes software Copyright (c) 2013 Frank Balluffi and Markus Moeller. All rights reserved. Permissions and limitations regarding this software are subject
to terms of the MIT license.

See patents at https://www.informatica.com/legal/patents.html.

DISCLAIMER: Informatica LLC provides this documentation "as is" without warranty of any kind, either express or implied, including, but not limited to, the implied
warranties of noninfringement, merchantability, or use for a particular purpose. Informatica LLC does not warrant that this software or documentation is error free. The
information provided in this software or documentation may include technical inaccuracies or typographical errors. The information in this software and documentation
is subject to change at any time without notice.

NOTICES

This Informatica product (the "Software") includes certain drivers (the "DataDirect Drivers") from DataDirect Technologies, an operating company of Progress Software
Corporation ("DataDirect") which are subject to the following terms and conditions:

1. THE DATADIRECT DRIVERS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
2. IN NO EVENT WILL DATADIRECT OR ITS THIRD PARTY SUPPLIERS BE LIABLE TO THE END-USER CUSTOMER FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, CONSEQUENTIAL OR OTHER DAMAGES ARISING OUT OF THE USE OF THE ODBC DRIVERS, WHETHER OR NOT INFORMED OF THE POSSIBILITIES
OF DAMAGES IN ADVANCE. THESE LIMITATIONS APPLY TO ALL CAUSES OF ACTION, INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, BREACH
OF WARRANTY, NEGLIGENCE, STRICT LIABILITY, MISREPRESENTATION AND OTHER TORTS.

Revision: 1
Publication Date: 2019-06-27
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Informatica Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Informatica Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Informatica Knowledge Base. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Informatica Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Informatica Product Availability Matrices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informatica Velocity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informatica Marketplace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informatica Global Customer Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1: Introduction to the Active Directory Accelerator. . . . . . . . . . . . . . . . . . . 7

Active Directory Accelerator Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2: Active Directory Accelerator Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Active Directory Accelerator Setup Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Verify Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configure the Active Directory Accelerator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Create a Database Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Create a Connection Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Import the Security Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 3: Active Directory Accelerator Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Active Directory Accelerator Rules Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Connection Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
MatchTables Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
LDAPActualUser Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
BlackList Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
WhiteList Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 4: Debug the Active Directory Accelerator. . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Debug the Active Directory Accelerator Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Debugging the Active Directory Accelerator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Debugging the Active Directory Accelerator with the Dynamic Data Masking Server. . . . . . . . . . . 18

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4 Table of Contents
Preface
The Active Directory Accelerator Guide contains information to help administrators use the Active Directory
accelerator to implement Dynamic Data Masking for an LDAP directory. This guide assumes that you have
knowledge of Dynamic Data Masking.

Informatica Resources
Informatica provides you with a range of product resources through the Informatica Network and other online
portals. Use the resources to get the most from your Informatica products and solutions and to learn from
other Informatica users and subject matter experts.

Informatica Network
The Informatica Network is the gateway to many resources, including the Informatica Knowledge Base and
Informatica Global Customer Support. To enter the Informatica Network, visit
https://network.informatica.com.

As an Informatica Network member, you have the following options:

• Search the Knowledge Base for product resources.

• View product availability information.
• Create and review your support cases.
• Find your local Informatica User Group Network and collaborate with your peers.

Informatica Knowledge Base

Use the Informatica Knowledge Base to find product resources such as how-to articles, best practices, video
tutorials, and answers to frequently asked questions.

To search the Knowledge Base, visit https://search.informatica.com. If you have questions, comments, or
ideas about the Knowledge Base, contact the Informatica Knowledge Base team at
KB_Feedback@informatica.com.

Informatica Documentation
Use the Informatica Documentation Portal to explore an extensive library of documentation for current and
recent product releases. To explore the Documentation Portal, visit https://docs.informatica.com.

5
 Informatica maintains documentation for many products on the Informatica Knowledge Base in addition to
the Documentation Portal. If you cannot find documentation for your product or product version on the
Documentation Portal, search the Knowledge Base at https://search.informatica.com.

If you have questions, comments, or ideas about the product documentation, contact the Informatica
Documentation team at infa_documentation@informatica.com.

Informatica Product Availability Matrices

Product Availability Matrices (PAMs) indicate the versions of the operating systems, databases, and types of
data sources and targets that a product release supports. You can browse the Informatica PAMs at
https://network.informatica.com/community/informatica-network/product-availability-matrices.

Informatica Velocity
Informatica Velocity is a collection of tips and best practices developed by Informatica Professional Services
and based on real-world experiences from hundreds of data management projects. Informatica Velocity
represents the collective knowledge of Informatica consultants who work with organizations around the
world to plan, develop, deploy, and maintain successful data management solutions.

You can find Informatica Velocity resources at http://velocity.informatica.com. If you have questions,
comments, or ideas about Informatica Velocity, contact Informatica Professional Services at
ips@informatica.com.

Informatica Marketplace
The Informatica Marketplace is a forum where you can find solutions that extend and enhance your
Informatica implementations. Leverage any of the hundreds of solutions from Informatica developers and
partners on the Marketplace to improve your productivity and speed up time to implementation on your
projects. You can find the Informatica Marketplace at https://marketplace.informatica.com.

Informatica Global Customer Support

You can contact a Global Support Center by telephone or through the Informatica Network.

To find your local Informatica Global Customer Support telephone number, visit the Informatica website at
the following link:
https://www.informatica.com/services-and-training/customer-success-services/contact-us.html.

To find online support resources on the Informatica Network, visit https://network.informatica.com and
select the eSupport option.

6 Preface
Chapter 1

Introduction to the Active

Directory Accelerator
This chapter includes the following topic:

• Active Directory Accelerator Overview, 7

Active Directory Accelerator Overview

Use the Active Directory accelerator to implement Dynamic Data Masking for an LDAP directory. The
accelerator package contains predefined Dynamic Data Masking security rules for common masking
requirements.

The Active Directory accelerator is in the Dynamic Data Masking installation folder as an additional
component that you can configure to work with an LDAP directory. You can use the accelerator rules to mask
data based on lists of authorized and unauthorized users, groups, and attributes.

7
Chapter 2

Active Directory Accelerator

Setup
This chapter includes the following topics:

• Active Directory Accelerator Setup Overview, 8

• Verify Requirements, 8
• Configure the Active Directory Accelerator, 9
• Create a Database Connection, 9
• Create a Connection Rule, 10
• Import the Security Rules, 10

Active Directory Accelerator Setup Overview

Set up the Active Directory accelerator to use predefined connection and security rules.

You can find the Active Directory accelerator in the following directory:

<Dynamic Data Masking installation>\Accelerators\ActiveDirectory

To set up the Active Directory accelerator, perform the following tasks:

1. Verify the setup requirements.

2. Configure the Active Directory Accelerator.
3. Create a Dynamic Data Masking database connection.
4. Create a connection rule.
5. Import the Active Directory accelerator security rules.

Verify Requirements
Verify the following requirements before you use the Active Directory accelerator:

• You must have Dynamic Data Masking version 9.1.0 or later installed.
• You must have a database with an LDAP directory.

8
Configure the Active Directory Accelerator
To configure the Active Directory accelerator, define the parameters in the ldap.properties file.

You can find the sample_ldap.properties file in the following directory:

<Dynamic Data Masking installation>\Accelerators\ActiveDirectory\cfg

After you edit the file, you must save it as ldap.properties in the following directory:

<Dynamic Data Masking installation>\custom\cfg\ldap.properties

For UNIX and Linux, save ldap.properties in the following directory:

<Dynamic Data Masking installation>/custom/cfg/ldap.properties

The following table describes the parameters that you define in the sample_ldap.properties file:

Parameter Description

hostname The host name or IP address of the LDAP directory.

port The LDAP port. Default is 389.

authentication The LDAP authentication. The authentication can be simple or none.

basedn The domain name in the LDAP directory format. For example, if the domain name is mycompany.com,
enter the following text:
basedn=DC\=mycompany,DC\=com

principal The user name that connects to the LDAP directory followed by @<domain name>, such as
jsmith@mycompany.com. Required if you configure the authentication to be simple.

rootpwd The password of the user that connects to the LDAP directory. Required if you configure the
authentication to be simple.
After you start the Active Directory accelerator the first time, the rootpwd value is encrypted and the
passwordEncrypted property is set to true.

Create a Database Connection

Create a Dynamic Data Masking database connection in the Management Console.

1. Log in to the Dynamic Data Masking Management Console.

2. Select the Dynamic Data Masking Server in the Management Console tree and click Tree > Add DDM
Services.
The Add DDM Services window appears.
3. Select the service that you want to add and click OK.
The Dynamic Data Masking service node appears in the Management Console tree.
4. Select a domain node or the Management Console tree root node and click Tree > Add Database.
The Add Database window appears.
5. Select the database type and configure the database connection parameters.

Configure the Active Directory Accelerator 9

 6. Click Test Connection and verify that Dynamic Data Masking is connected to the database.
7. Click OK.
The database node appears in the Management Console.

Create a Connection Rule

Create a connection rule that directs SQL requests to the LDAP Rule Set.

1. Select the Dynamic Data Masking service node that you created in the Management Console tree and
click Tree > Connection Rules.
The Rule Editor opens.
2. In the Rule Editor, highlight the Dynamic Data Masking service node in the tree and select Action >
Append Rule.
The Append Rule window opens.
3. In the Append Rule window, configure the following parameters:

Parameter Description

Rule Name The name of the connection rule.

Identify incoming connections using Select Current Target Database.

Database The name of the database.

Action applied on incoming connections Select Use Rule Set.

Rule Set Name Define the rule set name as LDAP Rule Set.

Whenever this rule is matched Select stop if applied.

4. Click OK.
The rule appears in the Rule Editor.
5. Select File > Update Rules to save the connection rule.
6. Select File > Exit to close the Rule Editor.

Import the Security Rules

Import the predefined Active Directory accelerator security rules into the Management Console.

1. Select the Management Console tree root node and click Tree > Security Rule Set.
The Add Rule Set window opens.
2. Enter "LDAP Rule Set" as the rule set name and click OK.
The LDAP Rule Set node appears in the Management Console tree.

10 Chapter 2: Active Directory Accelerator Setup

 3. Select the LDAP Rule Set rule set and click Tree > Security Rule Set.
The Rule Editor opens.
4. In the Rule Editor, click Action > Import.
The Import window opens.
5. Navigate to the following directory:
<Dynamic Data Masking installation>\Accelerators\ActiveDirectory\rules
6. Select the LDAPRuleSet.xml file and click Import.
The MatchTables rule folder appears in the Rule Editor.
7. Expand the MatchTables rule folder to view the LDAPActualUser rule and the BlackList and WhiteList rule
folders.
8. Expand the BlackList folder to view the BlackList rules.
9. Select the MaskIfLDAPMatch rule and click Action > Edit.
The Edit Rule window opens.
10. In the class path field of the rule matcher, enter the file path to LDAP.jar.
You can find LDAP.jar in the following location:
<Dynamic Data Masking installation>\Accelerators\ActiveDirectory\lib\LDAP.jar
Note: You must enter the correct class path even if you disable the MaskIfLDAPMatch rule. The Rule
Engine reads every rule in the rule set and returns an error if the class path is incorrect.
11. Click OK.
The Rule Editor closes.
12. Expand the WhiteList folder to view the WhiteList rules.
13. Select the StopIfLDAPMatch rule and click Action > Edit.
The Edit Rule window opens.
14. In the class path field of the rule matcher, enter the file path to the LDAP.jar file.
You can find the LDAP.jar file in the following location:
<Dynamic Data Masking installation>\Accelerators\ActiveDirectory\lib\LDAP.jar
Note: You must enter the correct class path even if you disable the StopIfLDAPMatch rule. The Rule
Engine reads every rule in the rule set and returns an error if the class path is incorrect.
15. Click OK.
The Rule Editor closes.
16. Define tables with sensitive information in the MatchTables rule folder.
17. Define LDAP users in the LDAPActualUser rule or disable the rule to mask data based on user groups or
attributes you define in the BlackList and WhiteList rules.
18. Define BlackList and WhiteList groups or attributes in the Rule Editor. Select a rule and click Action >
Edit to open the Edit Rule window.
19. Click File > Update Rules to save the security rules.
20. Click File > Exit to close the Rule Editor.

Import the Security Rules 11

Chapter 3

Active Directory Accelerator Rules

This chapter includes the following topics:

• Active Directory Accelerator Rules Overview, 12

• Connection Rule, 13
• MatchTables Rule , 13
• LDAPActualUser Rule, 13
• BlackList Rules, 14
• WhiteList Rules, 15

Active Directory Accelerator Rules Overview

The Active Directory accelerator contains the LDAP Rule Set security rule set. The rule set contains rules and
rule folders that you configure to mask data based on the LDAP user, attribute, or group.

If you want to define an LDAP user that receives masked or unmasked data, define the user in the
LDAPActualUser rule.

If you want to define LDAP groups that receive masked data or users with LDAP attribute values that you
want to receive masked data, enable the BlackList folder and disable the WhiteList folder. Use the
BlackListGroups rule to mask data based on LDAP groups. Use the BlackListAttributeName and
BlackListAttributeValues rules to mask data based on attribute values.

If you want some LDAP groups to receive unmasked data or you want users with certain LDAP attribute
values to receive unmasked data, enable the WhiteList folder and disable the BlackList folder. Use the
WhiteListGroups rule to allow users in an LDAP group to view unmasked data. The groups that you define in
the WhiteListGroups rule receive unmasked data. The groups that you do not list in the WhiteListGroups rule
view masked data. Use the WhiteListAttributeName and WhiteListAttributeValues rules to allow users with
certain LDAP attribute values to view unmasked data.

Note: Disable the BlackList or WhiteList rule folder based on how you want to mask data. If you enable the
BlackList rule folder and the WhiteList rule folder, the SQL request goes to the first folder in the tree.

12
Connection Rule
A Dynamic Data Masking connection rule directs the SQL request to the LDAP Rule Set security rule set.

You must create a connection rule in the Dynamic Data Masking Management Console to use the Active
Directory accelerator. Configure the connection rule to identify the incoming connection by the database
name. Select the Use Rule Set action and define the LDAP Rule Set rule set name. Select the Stop if Applied
processing action. If a request is made to the database, the Rule Engine will apply the LDAP Rule Set.

MatchTables Rule
The MatchTables rule is a security rule folder that defines the names of the tables that contain sensitive
information.

To use the LDAP Rule Set, you must enable the MatchTables rule. Select the Text security rule matcher and
define the tables that you want to mask in the Text field. The MatchTables rule uses the Folder rule action to
direct the Rule Engine to the rules in the MatchTables rule folder.

The following table describes the rules in the MatchTables folder:

Rule Description

LDAPActualUser Defines the LDAP user that receives masked or unmasked data.

BlackList Rule folder that contains the rules that define the LDAP groups that receive masked data or the
attributes of users that receive masked data.

WhiteList Rule folder that contains the rules that define the LDAP groups that receive unmasked data or the
attributes of users that receive unmasked data.

LDAPActualUser Rule
LDAPActualUser is a security rule that defines a user that receives masked or unmasked data and defines the
LDAP_ACTUAL_USER symbol.

You do not need to define the LDAP_ACTUAL_USER symbol if the value of the AUTH_SID global symbol is set
to the correct user. The LDAP matcher uses the AUTH_SID symbol if you do not define the
LDAP_ACTUAL_USER symbol. If the AUTH_SID symbol is not defined, you must define the
LDAP_ACTUAL_USER symbol in the LDAPAcutalUser rule.

The LDAPActualUser rule uses the Continue processing action. Enable the BlackList or WhiteList rule folder
to determine whether the user you define in the LDAPActualUser rule receives masked or unmasked data.

Connection Rule 13
BlackList Rules
The BlackList rule is a rule folder that defines LDAP groups or users with LDAP attribute values that receive
masked data.

To use the BlackList masking method, enable the BlackList rule folder and disable the WhiteList rule folder.

The BlackList rule folder contains BlackListGroups, BlackListAttributeName, BlackListAttributeValue, and

MaskIfLDAPMatch rules.

If you want to mask data based on the LDAP group of a user, enable the BlackListGroups rule and disable the
BlackListAttributeName and BlackListAttributeValues rules. You define the LDAP groups that receive masked
data in the BlackListGroups rule and set the Groups symbol value to the list of the LDAP groups. Enter the
LDAP groups that receive masked data in the Symbol Value field. Separate groups with a pipe symbol ( | ).

If you want to mask data based on the LDAP attribute values of users, disable the BlackListGroups rule and
enable the BlackListAttributeName and BlackListAttributeValues rules. Define the attribute in the
BlackListAttributeName rule. Set the ATTR_NAME Symbol Value to the name of the attribute. In the
BlackListAttributeValues rule, define the attribute values of the attribute that you specified in the
BlackListAttributeName rule. Set the ATTR_VALUES Symbol Value to the attribute values that you use to
identify a user that receives masked data.

You must identify users that receive masked data based on the LDAP group or attribute values. You cannot
identify LDAP groups and attribute values. If you enable the BlackListGroups rule, the LDAP matcher does not
verify the values of the ATTR_NAME and ATTR_VALUES that you define in the BlackListAttribueName and
BlackListAttributeValues rules.

Configure the MaskIfLDAPMatch rule to define how to mask the data. The rule contains table columns that
commonly contain personally identifiable information. Modify the rule based on the data that you want to
mask.

The following table describes the BlackList rules:

Rule Description

BlackListGroups Defines the value of the Groups symbol. Enter the LDAP groups that you want to receive
masked data.
You cannot use the BlackListGroups rule with the BlackListAttributeName and
BlackListAttribueValues rules.

BlackListAttributeName Defines the ATTR_NAME symbol. Enter the LDAP attribute that you use to identify users
that receive masked data.
You cannot use the BlackListAttributeName rule with the BlackListGroups rule.

BlackListAttributeValues Defines the ATTR_VALUES symbol. Enter the LDAP attribute values that you use to identify
users that receive masked data.
You cannot use the BlackListAttributeName rule with the BlackListGroups rule.

MaskIfLDAPMatch Defines how to mask the sensitive data.

14 Chapter 3: Active Directory Accelerator Rules

WhiteList Rules
The WhiteList rule is a rule folder that defines the LDAP groups or attribute values of users that receive
unmasked data. Dynamic Data Masking masks data for LDAP groups and users that do not return a match in
the WhiteList rules.

To use the WhiteList masking method, enable the WhiteList rule folder and disable the BlackList rule folder.

The WhiteList rule folder contains WhiteListGroups, WhiteListAttributeName, WhiteListAttributeValues,

StopIfLDAPMatch, and MaskingRule rules.

If you want to define LDAP groups that do not receive masked data, enable the WhiteListGroups rule and
disable the WhiteListAttributeName and WhiteListAttributeValues rules. In the WhiteListGroups rule, set the
Groups symbol value to the list of LDAP groups that receive unmasked data. Enter the LDAP groups that
receive unmasked data in the Symbol Value field. Separate groups with a pipe symbol ( | ).

If you want to define users that receive unmasked data based on the LDAP attribute values of the users,
disable the WhiteListGroups rule and enable the WhiteListAttributeName and WhiteListAttributeValues rules.
Define the attribute in the WhiteListAttributeName rule. Set the ATTR_NAME Symbol Value to the name of the
attribute. In the WhiteListAttributeValues rule, define the attribute values of the attribute that you specified in
the WhiteListAttributeName rule. Set the ATTR_VALUES Symbol Value to the attribute values that you use to
identify a user that receives unmasked data.

The StopIfLDAPMatch rule uses a Stop rule action if the LDAP group or attribute value is a match. The Rule
Engine does not apply the MaskingRule rule and the user receives unmasked data.

Configure the MaskingRule rule to define how to mask the data. The rule contains columns that commonly
contain personally identifiable information. Modify the rule based on the data that you want to mask.

The following table describes the WhiteList rules:

Rule Description

WhiteListGroups Defines the value of the Groups symbol. Enter the LDAP groups that you want to receive
unmasked data.
You cannot use the WhiteListGroups rule with the WhiteListAttributeName and
WhiteListAttribueValues rules.

WhiteListAttributeName Defines the ATTR_NAME symbol. Enter the LDAP attribute that you use to identify users
that receive unmasked data.
You cannot use the WhiteListAttributeName rule with the WhiteListGroups rule.

WhiteListAttributeValues Defines the ATTR_VALUES symbol. Enter the LDAP attribute values that you use to identify
users that receive unmasked data.
You cannot use the WhiteListAttributeName rule with the WhiteListGroups rule.

StopIfLDAPMatch Stops the Rule Engine. The Rule Engine does not apply the MaskingRule rule if the
StopIfLDAPMatch rule returns a match.

MaskingRule Defines how to mask the sensitive data.

WhiteList Rules 15
Chapter 4

Debug the Active Directory

Accelerator
This chapter includes the following topics:

• Debug the Active Directory Accelerator Overview, 16

• Debugging the Active Directory Accelerator, 17
• Debugging the Active Directory Accelerator with the Dynamic Data Masking Server, 18

Debug the Active Directory Accelerator Overview

You can debug the LDAP matcher before you use it with Dynamic Data Masking.

The LDAP debug mode does not use a security rule set. The debug mode allows you do define the
LDAP_ACTUAL_USER, ATTR_NAME, ATTR_VALUES, and Groups symbols to determine whether the LDAP
matcher correctly matches the Groups symbol or the ATTR_NAME and ATTR_VALUES symbols for the
LDAP_ACTUAL_USER user.

When you run the accelerator standalone, you create output files that show the message outputs for LDAP
group matching and attribute values matching. When you run the accelerator with the Dynamic Data Masking
Server, you enable the debug log level that logs detailed information to the server.log file.

Compare the output files to verify that the Active Directory Accelerator runs with and without the Dynamic
Data Masking Server.

The following text shows an example of the debug information from the server.log file:
12/05 16:03:50,829 [DDM for Oracle-2] DEBUG - Match User according to Attribute
countryCode and Attribute Values 123|456|789
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute userPrincipalName:
user@company.com
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute userPrincipalName has 1 values
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute description: Team Lead
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute description has 1 values
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute showInAddressBook: CN=Default
Global Address List,CN=All Global Address Lists,CN=Address Lists
Container,CN=Company,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Company,DC=com, CN=All Users,CN=All Address
Lists,CN=Address Lists Container,CN=Company,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Company,DC=com
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute showInAddressBook has 2 values
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute mailNickname: user
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute mailNickname has 1 values
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute homeDirectory: \\\home\user
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute homeDirectory has 1 values

16
 12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute homeDrive: U:
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute homeDrive has 1 values
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute uSNChanged: 12345678
12/05 16:03:50,838 [DDM for Oracle-2] DEBUG - Attribute uSNChanged has 1 values
………………………………………………………………………………………………………………………………
12/05 16:03:50,842 [DDM for Oracle-2] DEBUG - Attribute userAccountControl has 1 values
12/05 16:03:50,843 [DDM for Oracle-2] DEBUG - Attribute location: City
12/05 16:03:50,843 [DDM for Oracle-2] DEBUG - Attribute location has 1 values
12/05 16:03:50,843 [DDM for Oracle-2] DEBUG - ***************************
12/05 16:03:50,843 [DDM for Oracle-2] DEBUG - Value 123 of attribute countryCode found
12/05 16:03:50,843 [DDM for Oracle-2] DEBUG - LDAP returns TRUE

Debugging the Active Directory Accelerator

Debug the Active Directory accelerator.

1. Navigate to the following directory:

<Dynamic Data Masking installation>/Accelerators/ActiveDirectory/cfg
2. Find the sample_ldap.properties file and save the file as ldap.properties in the following directory:
<Dynamic Data Masking installation>/custom/cfg
3. Edit the following properties in the ldap.properties file:
hostname

The host name or IP address of the LDAP directory.

port

The LDAP port. Default is 389.

authentication

The LDAP authentication. The authentication can be simple or none.

basedn

The domain name in the LDAP directory format. For example, if the domain name is
mycompany.com, enter the following text:
basedn=DC\=mycompany,DC\=com
principal

The user name that connects to the LDAP directory followed by @<domain name>, such as
jsmith@mycompany.com. Required if you configure the authentication to be simple.

rootpwd

The password of the user that connects to the LDAP directory. Required if you configure the
authentication to be simple.

PRINT_TO_OUTPUT

Enter enabled.

LDAP_ACTUAL_USER

Enter the LDAP user that you want to check.

ATTR_NAME

Enter the attribute name that you want to check.

Debugging the Active Directory Accelerator 17

 ATTR_VALUES

Enter the attribute values that you want to check, separated by a vertical bar (|).

Groups

Enter the groups that you want to check, separated by a vertical bar (|).
4. Save the file in the custom/cfg directory as ldap.properties.
5. Find the ldap.bat file for Windows or the ldap file for Linux and UNIX. You can find the file in the
following location:
<Dynamic Data Masking installation>/Accelerators/ActiveDirectory/lib
6. Copy the ldap.bat file or the ldap file to the Dynamic Data Masking installation directory.
7. In a command prompt, navigate to the Dynamic Data Masking installation directory.
8. Run the following command in the command prompt:
• On Windows run the following command:
ldap.bat > myOutput.out
• On Linux and UNIX, run the following command:
ldap > myOutput.out
A myOutput.out file appears in the installation directory with output messages for the LDAP matcher.
9. Save the myOutput.out file.
10. Open the ldap.properties file and comment-out the Groups property. Enter a pound sign (#) before the
Groups property.
11. Save the ldap.properties file and run the following command in the command prompt:
• On Windows run the following command:
ldap.bat > myOutput.out
• On Linux and UNIX, run the following command:
ldap > myOutput.out
A myOutput.out file appears in the lib directory with output messages for the attribute value matcher.

Debugging the Active Directory Accelerator with the

Dynamic Data Masking Server
Debug the Active Directory accelerator with the Dynamic Data Masking Server

1. Navigate to the following directory:

<Dynamic Data Masking installation>/Accelerators/ActiveDirectory/cfg
2. Find the sample_ldap.properties file and save the file as ldap.properties in the following directory:
<Dynamic Data Masking installation>/custom/cfg
3. Edit the following properties in the ldap.properties file:
hostname

The host name or IP address of the LDAP directory.

18 Chapter 4: Debug the Active Directory Accelerator

 port

The LDAP port. Default is 389.

authentication

The LDAP authentication. The authentication can be simple or none.

basedn

The domain name in the LDAP directory format. For example, if the domain name is
mycompany.com, enter the following text:
basedn=DC\=mycompany,DC\=com
principal

The user name that connects to the LDAP directory followed by @<domain name>, such as
jsmith@mycompany.com. Required if you configure the authentication to be simple.

rootpwd

The password of the user that connects to the LDAP directory. Required if you configure the
authentication to be simple.
4. In the ldap.properties file, comment-out the following properties with a pound sign (#) at the beginning
of each line:
• PRINT_TO_OUTPUT
• LDAP_ACTUAL_USER
• ATTR_NAME
• ATTR_VALUES
• Groups
5. Save the file in the custom/cfg directory as ldap.properties.
6. Navigate to the following directory:
<Dynamic Data Masking installation>/cfg
7. Find the config.properties file. Back up the file before you make any changes.
8. Set the log level to debug. Edit the following property:
TraceFacility.logLevel=debug
9. Restart the Dynamic Data Masking Server.
10. Open the LDAPRuleSet in the Management Console. Verify that you defined the LDAP.jar location,
LDAP_ACTUAL_USER, ATTR_NAME, and ATTR_VALUES symbols correctly.
11. In a Dynamic Data Masking client, verify that the masking rules work.
12. Navigate to the following directory:
<Dynamic Data Masking installation>/log
13. Open the server.log file and verify that it contains the same information as the myOutput.out file you
created when you tested the Active Directory accelerator without the Dynamic Data Masking Server.

Debugging the Active Directory Accelerator with the Dynamic Data Masking Server 19
Index

A rule (continued)
BlackListAttributeValues 14
accelerator BlacklistGroups 14
setup 8 BlacklList 14
connection rule 13
LDAPActualUser 13

C MaskIfLDAPMatch 14
MaskingRule 15
connection rule security rules 12
create 10 StopIfLDAPMatch 15
WhiteList 15
WhiteListAttributeName 15

D WhiteListAttributeValues 15
WhiteListGroups 15
debug rule folder
standalone 17 BlackList 14
with the Dynamic Data Masking Server 18 MatchTables 13
WhiteList 15
rule set

M connection 13
ldap rule set 12
masking method
BlackList 14
WhiteList 15 S
security rules

R import 10

rule
BlackListAttribueName 14

20