User Import from AD source fails

book

Article ID: 161048

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

User Import from AD source fails.

(System > Users > Data Sources)

 

You may see following error in localhost logs :

15 Jul 2014 09:17:36,791- SQL Error: 20001, SQLState: 72000
15 Jul 2014 09:17:36,791- ORA-20001: DataUser_STG_PROD_Match - Multiple staging users matched to a single production user

OR

15 Jul 2014 09:17:37,261- Thread: 182 INFO [com.vontu.enforce.domainlayer.datauser.source.ad.LdapSourceUserProvider] Skipped 6534 users during LDAP import. First name and last name must not be empty and either login or email must be available.

 

Cause

A few users in AD (which is used to import the users) are missing on following fields :

# FIRST_NAME: First name (mandatory)
# LAST_NAME: Last name (mandatory)
# EMAIL: Email address (mandatory if Login not present)
# LOGIN: Login of user in DOMAINLOGIN format (mandatory if Email not present)

If any of the mandatory field is missing for any users, the AD User Import will fail.
Also, if there are duplicate entries for any user in AD, AD User Import will fail.

 

Resolution

1)    Ensure that all users in AD have the mandatory fields populated. You can export AD users to a CSV file and check for users missing mandatory fields.

Use following powershell command to export all the users from AD.
 a)
Open Power Shell console and run following command
 b)
csvde -f test.csv -r objectClass=user
 c)
This will export all AD users to file test.csv

2)    Delete the previously imported users (If Import was successful previously) and attempt to re-import from AD. We cannot delete the imported users from UI. You can use the script attached to this KB (empty_user_list.sql). Please log in to SQLPlus as protect user to be able to run this script.

Example:
 a) Copy attached empty_user_list.sql into a temp folder c:SQL_temp
 b) Open Command Prompt:  cd SQL_temp
 c) Launch SQLPlus:  sqlplus /nolog
 d) connect [email protected]
 e) Launch/Run the script: @empty_user_list.sql
 f) The script will produce an output file in the directory it was launched from called: empty_data_list.txt

3)     If having all mandatory fields for all the users in AD is not possible, you can use following filter to exclude the users (with missing fields) from being imported to DLP. The filter is “(&(sAMAccountName=*)(givenName=*)(sn=*))”. This filter will exclude all users which does not have email field populated.

To add the filter, do the following:
 a) Go to: System > Users > Data Sources
 b) Open the desired data source, or add a new one.
 c) Expand Advanced Options.
 d) Add the filter in the "AD Custom Filter" input box.
 e) Click the Submit button.

 

 

Applies To

Data Loss Prevention 12.0 and higher.

Attachments

empty_user_list.sql get_app