When "Address Resolution" is configured for a Directory Data Source (DDS) inside the Directory Integration Settings configuration screen for a Symantec Messaging Gateway (SMG) and under some circumstances cannot resolve the LDAP group memberships for an Active Directory LDAP source, there will be errors inside the SMG logs and also, some e-mail messages may get stuck in one of the SMG's queues.

Errors when messages get stuck in one of the SMG's queues (showing example log entries):

DDS Log:

... [btpool0-4] [LoggingDDS] ERROR - [1286285503405] 800601
com.symantec.sms.dds.api.exception.MembershipTaskFailedException: Failed to build group memberships for data source: 1286205219164
 at com.symantec.sms.dds.bl.MembershipStoreFactory.getMembershipStore(MembershipStoreFactory.java:328)
 at com.symantec.sms.dds.bl.AddressResolutionManager.resolveMemberships(AddressResolutionManager.java:327)

BMServer Log:

...45011] DDS client: XML-RPC call returned fault 800601 - Failed to build group memberships for data source: 1286205219164
... (ERROR:13220.2650729392): [27205] Error while attempting to resolve recipients address

Note: a specific LDAP group or an object is not shown in the log entries.

Errors when mail flow is not affected, but when a Policy Group cannot see new members in its corresponding LDAP group (showing example log entries):

DDS Log:

... [btpool0-60] [LoggingDDS] ERROR - [1321910499816] 800601 

com.symantec.sms.dds.api.exception.MembershipTaskFailedException: Failed to build group memberships for data source: 1321910096320 

Caused by: com.symantec.sms.dds.api.exception.AddressNotUniqueException: Address [email protected] is not unique. The following entries share the same email address: cn=user name,dc=example,dc=com; cn=user name,ou=archive,dc=example,dc=com

... [btpool0-567] [EntryDAOSpringLdap] ERROR - [1321910499816] [LDAP_BNF] unable to find unique resolvedRecipient for recipientEmail: [email protected]

   result1: cn=user name,dc=example,dc=com
   result2: cn=user name,ou=archive,dc=example,dc=com
   query: (proxyAddresses=smtp:[email protected])
   basedn: DC=example,DC=com

BrightmailLog.log:

 ...[http-41443-Processor6] ERROR - The address you have provided is shared by multiple directory entries. Check the Control Center and DDS logs for details. DDS error code: 800500 Additional information: Address [email protected] is not unique. The following entries share the same email address: cn=user name,dc=example,dc=com; cn=user name,ou=archive,dc=example,dc=com

"Find User" screen:

When using the "Find User" function inside the Control Center graphical user interface, for duplicate e-mail addresses, an error will be displayed on the "Find User" screen in red color:

The address you have provided is shared by multiple directory entries. Check the Control Center and DDS logs for details. DDS error code: 800500 Additional information: Address  [email protected] is not unique. The following entries share the same email address: The following entries share the same email address: cn=user name,dc=example,dc=com; cn=user name,ou=archive,dc=example,dc=com

For the case when mailflow is affected: 

• Issue with an Active Directory group or groups

For the case when mailflow is not affected: 

• Non-unique e-mail address entries for users in the Active Directory that SMG detects cause errors in the logs.
• Time-To-Live (TTL) setting numbers are too high.

To restore the mailflow through the SMG appliance: 

• Document all LDAP groups that belong to a currently enabled policy group (either via a screenshot or manually write them down) on the "Policy Groups" configuration screen
• Delete all LDAP groups that are configured for that policy group because a specific group is not shown in the logs and the customer's mailflow needs to be restored as soon as possible.
• Check if mailflow is restored
• If it is restored, add LDAP groups one after the other until the bad LDAP group is detected
• Delete the LDAP group entry for that bad group from the group policy

Note: to get to the "Policy Groups" configuration screen mentioned above, follow these steps:

1. Login to the Control Center with the user "admin"
2. Navigate to Administration->Users->Policy Groups
3. The "Policy Groups" configuration screen has the list of all LDAP groups configured for the SMG appliance (the DDS source is configured via the "Administration->Settings->Directory Integration" configuration screen).  The groups that are currently active will have a green checkmark inside the "Enabled" column on the "Policy Groups" screen.

To get rid of the error messages in the logs and restore the LDAP group membership resolution:

• Remove duplicate entries on the Active Directory side, making sure that each LDAP user has a unique e-mail address
• Lower the "Minimum cache TTL" and "Maximum cache TTL" settings on the Advanced Tab or disable the LDAP caching on the SMG appliance by unchecking the "Enable cache:" check box.
  • Note: For address resolution sources, the "Minimum cache TTL" setting determines how often the membership information is rebuilt for LDAP groups used in policies.
  • Note: The cache stores address entry data from previous requests. This allows the directory data service to process requests faster by using this data instead of consulting the LDAP server.
• Clear LDAP cache by clicking on the "Clear Cache" button
• Check if new users now are detected via the "Find user" option inside the SMG
• If new users are still not detected, then remove the LDAP group from the SMG and re-add the group.  

Note: to get to the "Advanced Tab" configuration screen and settings mentioned above, follow these steps:

1. If not done already, login to the Control Center with the user "admin"
2. Navigate to "Administration->Settings->Directory Integration"
3. On the "Directory Integration Settings" page, click on the LDAP server's hostname (it's a link) inside the "Name" column
4. Click on the "Advanced" tab
5. The "Cache Settings" configuration section has the "Enable cache:", "Minimum cache TTL:", and "Maximum cache TTL:" settings.