Unable to create AD User Groups that include AD referrals
search cancel

Unable to create AD User Groups that include AD referrals

book

Article ID: 160018

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce

Issue/Introduction

When querying an Active Directory group that includes referral objects and seeing an error.

It indicates that that DLP doesn't seem to follow LDAP referrals and as a result the AD group generation fails.
The log indicates the following error:

Verbose log shows the following:

24 Apr 2012 11:09:34,102- Thread: 23 SEVERE [com.vontu.profiles.manager.InfoSourceIndexCreator] Unexpected error occurred while creating exact data profile "xxxxxxx" version 10. [LDAP: error code 10 - 0000202B: RefErr: DSID-031006BB, data 0, 1 access points
        ref 1: 'xxxxxxx'
]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-031006BB, data 0, 1 access points
        ref 1:  'xxxxxxx'
]; remaining name '<LDAP object reference>'

Detailed Steps to Reproduce:
- Setup a Group Directory
- Add a User Group
- Locate an AD object with referral objects inside, and add it to your User Group
- Save the User Group and note the referral error

Resolution

Endpoint Agent is not programmed to chase referrals. It performs a sub-tree search, but does not chase referrals.

The Enforce Management Console also does not follow AD referrals.

Both are by design and the observed behavior is therefore expected.

In some instances, following one of these steps may resolve the issue.

a) Add the following to SymantecDLPManager.conf : set.Context.REFERRAL = follow
Bounce the server


b) Set the following global variable for the protect user though the windows environmental variables or Linux .bash_profile configuration. 

For Windows:

Context.REFERRAL = follow

For Linux:

export CONTEXT_REFERRAL=follow

Bounce the server, login into the command line via the CMD command as protect user and verify that the variable is set.
Then try creating the AD group again.

 

c) You could setup Group Directory connectors to each of the main AD infrastructures and querying them directly when building the User Groups. The referral objects are usually pointers to AD groups in other domains that have usually trusts established. By defining each as it’s own Group Directory you would circumvent the need for LDAP referrals, and while it will mean they will have to interface with more AD teams during setup and implementation, it will ultimately be a more robust solution.

 

See as reference:
http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/update.html
http://technet.microsoft.com/en-us/library/cc978014.aspx

 

 

 

 

Powered by Wolken Software