The user data import sync job starts to fail if the directory connection is configured to use a secure connection on port 636. The directory connection test is successful however the related data source for the AD logins sync is failing.

Below errors are seen in the localhost logs on the Enforce:

18 Jul 2021 07:00:05,719- Thread: 177 SEVERE [com.vontu.enforce.domainlayer.datauser.source.DataUserSyncTask] User Synchronization failed:
Cause: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: DomainDnsZones.abc.corp:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching DomainDnsZones.abc.corp found.]]org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: DomainDnsZones.abc.corp:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching DomainDnsZones.abc.corp found.]]

Certificates did not include the CN or SAN for which the LDAP certificate authentication fails.

Following workaround can be applied to disable the Host Name verification (not recommended). We encourage to update the Host Name verification and recommend to update the certificate. 

1. Stop the Symantec DLP Manager Service. 
2. In SymantecDLPManager.conf under Services folder, uncomment the following lines (to uncomment remove # )
   # wrapper.java.additional.30 = -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
3. The uncommented line should like below
   wrapper.java.additional.30 = -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
4. Save the file.
5. Restart the Symantec DLP Manager Service.