LDAP attribute lookup fails due to query length limit

book

Article ID: 159665

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You have configured LDAP custom attribute lookup, but when the lookup runs, the attributes are not populated.

Resolution

You may see this error when attempting to retrieve certain attributes that have long lists of multiple values, such as the "memberOf" Active Directory attribute, which lists all groups of which a user is a member.

The Tomcat error logs (localhost.[date].log) contain the following error:

SEVERE [com.vontu.model.data.validate.VarcharValidator] The parameter is too long.  Length cannot exceed 2000 characters.

The response to a query for a single LDAP attribute is limited to a maximum of 2000 characters. If the response exceeds this limit, the lookup fails.

One possible workaround is to use a different LDAP attribute. The best attribute to query depends on how you need to use the custom attributes within DLP. For example, if you want to determine a user's role within the organization, you might use a "department" attribute, rather than group membership. Active Directory also has a "primary group" attribute for each user, which may be useful for some purposes. Consult your Active Directory or LDAP administrator for more information on your specific LDAP implementation.