You are seeing errors in the Enforce console under:
Under System -> Settings -> Directory Connections -> [connection name] -> Index and Replication Status
This may cause AD-based group rules/exceptions to not work correctly
Info localhost log:
SEVERE [com.vontu.profiles.manager.di
Cause:
org.springframework.ldap.NameN
'ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2'
]; nested exception is javax.naming.NameNotFoundExcep
'ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2'
An object is being searched for with an exact query for example:
ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2
If the object has been moved or deleted, the AD query no longer resolves and the objects will have a red cross against them in group details
The solution involves two steps:
A) Eliminate the bad references in the User Groups:
B) Add an error threshold, so a new version of the index will still be created, even if there are some unresolved items. NOTE: This option should be used if you are seeing consistent numbers of unresolved items that you are unable to eliminate with step A.
# The percentage of corrupted and ignored records allowed for active directory indexcom.vontu.profiles.directoryconnection.index.corruption.error.threshold=0
In rare circumstances, the LDAP request returns an active directory record that indexing logic cannot process and breaks the index, so a threshold value was implemented to ignore such cases.
# Number of attempts to reconnect to active directory servicecom.vontu.profiles.directoryconnection.reconnect.retries=0
The Enforce LDAP client may drop the connection in the middle of indexing resulting in a rejected index. As indexing can take hours, a reconnection logic was implemented so the indexer reconnects the number of times specified in the property before terminating.
Restart the DLP Manager for the above to take effect.