ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Active Directory Index and Replication fails with "Error: indexedDataStatus.ad_query_returned_unknown_error".

book

Article ID: 172263

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You are seeing errors in the Enforce console under:

Under System -> Settings -> Directory Connections -> [connection name] ->  Index and Replication Status 

This may cause AD-based group rules/exceptions to not work correctly

 

Info localhost log:

SEVERE [com.vontu.profiles.manager.directoryconnection.UserGroupEntryReaderCreator] Unable to retrieve the following directory group entry: cn=cn1,ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2

Cause:

org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:

    'ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2'

 ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:

    'ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2'

 

Cause

An object is being searched for with an exact query for example:

ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2

If the object has been moved or deleted, the AD query no longer resolves and the objects will have a red cross against them in group details:

 

Resolution

The solution involves two steps:

A) Eliminate the bad references in the User Groups:

  1. Find the groups which have warning signs by them such as the examples below:

  1. Resolve the issue by searching for and removing incorrect users/groups in AD and re-adding the correct ones (if needed verify it with your AD team).
  2. Reinitiate indexing (enable schedule for indexing or wait for next scheduled timeframe) to verify are no errors when creating the new index. 

B) Add an error threshold, so a new version of the index will still be created, even if there are some unresolved items. NOTE: This option should be used if you are seeing consistent numbers of unresolved items that you are unable to eliminate with step A. 

  1. Open two properties for customer modification in the Indexer.properties. These are existing properties. Related functionality was tested.
  • First one:

# The percentage of corrupted and ignored records allowed for active directory index
com.vontu.profiles.directoryconnection.index.corruption.error.threshold=0

In rare circumstances, the LDAP request returns an active directory record that indexing logic cannot process and breaks the index, so a threshold value was implemented to ignore such cases.

  • Second one:

# Number of attempts to reconnect to active directory service
com.vontu.profiles.directoryconnection.reconnect.retries=0

The Enforce LDAP client may drop the connection in the middle of indexing resulting in a rejected index. As indexing can take hours, a reconnection logic was implemented so the indexer reconnects the number of times specified in the property before terminating.

Restart the DLP Manager for the above to take effect.

Attachments