LDAP user group indexing fails due to OBJECT_NOT_FOUND errors

book

Article ID: 162374

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Symantec Data Loss Prevention occasionally fails to index LDAP user groups due to OBJECT_NOT_FOUND errors. This is usually the result of changes to objects in the directory while the indexing process is running.

Cause

When LDAP objects are moved from one group to another or removed from the directory during the Symantec Data Loss Prevention user group indexing process, those objects are no longer accessible using their distinguished name (DN), which results in an OBJECT_NOT_FOUND error. The user group indexing process fails when it encounters such errors.

Resolution

Symantec Data Loss Prevention 14.0.1 includes a new setting in the Indexer.properties file to address this issue: com.vontu.profiles.directoryconnection.maxObjectNotFound. You can use this setting to specify the maximum number of OBJECT_NOT_FOUND errors that can be allowed before the indexing process fails.

To use this new setting, follow this procedure:

  1. Open the /SymantecDLP/Protect/config/Indexer.properties file in a text editor.
  2. Add the com.vontu.profiles.directoryconnection.maxObjectNotFound = n property, where n is the number of allowable OBJECT_NOT_FOUND errors.
  3. Save and close the /SymantecDLP/Protect/config/Indexer.properties file.

You should specify the lowest value that corresponds with the maximum number of individual changes to the indexed groups during the time that Symantec Data Loss prevention is indexing your directory groups. This allows directory group indexing to complete successfully most of the time. However, because Symantec Data Loss Prevention cannot distinguish individual users from directory groups when an OBJECT_NOT_FOUND error occurs, Symantec strongly recommends that you make no changes to a directory group while the indexer is running. Directory indexing is non-transactional, and you may encounter race conditions if changes are made to directory groups during the indexing process. Such race conditions could result in an entire group of users missing from the final index, for example. This limitation applies to directory indexing generally, but using the com.vontu.profiles.directoryconnection.maxObjectNotFound setting may increase the risk of encountering such race conditions, depending on the structure of your directory groups and the time it takes for the indexing to complete.