Active Directory user group exclusion failing in Policy

book

Article ID: 170685

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

Policies with AD user groups being added as exceptions to policies, are still creating incidents.  The exception is not working. No errors in the Enforce UI Overview

Localhost log shows the following errors:

02 Dec 2017 00:00:01,738- Thread: 78 WARNING [com.vontu.profiles.manager.directoryconnection.LdapIndexSearchObject] Received null objectClasses
02 Dec 2017 00:00:01,769- Thread: 78 SEVERE [com.vontu.profiles.manager.directoryconnection.UserGroupEntryReaderCreator] Unable to retrieve the following directory group entry: ou=IT Infrastructure,ou=Information Technology,ou=***_Users,dc=***,dc=***,dc=gov
Cause:
org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: simple bind failed: Domain.***.***.gov:636; nested exception is javax.naming.CommunicationException: simple bind failed: domain.***.***.gov:636 [Root exception is java.net.SocketException: Connection reset]
org.springframework.ldap.CommunicationException: simple bind failed: Domain.***.***.gov:636; nested exception is javax.naming.CommunicationException: simple bind failed: Domain.***.***.gov:636 [Root exception is java.net.SocketException: Connection reset]
javax.naming.CommunicationException: simple bind failed: Domain.***.***.gov:636
java.net.SocketException: Connection reset
org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: simple bind failed: Domain.***.***.gov:636; nested exception is javax.naming.CommunicationException: simple bind failed: Domain.***.***.gov:636 [Root exception is java.net.SocketException: Connection reset]
 

Cause

Policies were being downloaded and accepted by the DLP servers, but the AD user group added was not able to be indexed correctly.

Resolution

Remove the AD user group from the policy exception. Then re-create the directory server group and add it to the policy exception. 

Configuring policy exceptions

Configuring the Recipient based on a Directory Server Group condition