DLP Group Directory will not index/replication - LDAP: error code 32
Last Updated May 20, 2016
When trying to index a group directory an error in Data Loss Prevention (DLP) Enforce Console "Unexpected exception while creating exact data profile <group directory name> source version <number of failed attempts>" occurs. The active directory connection and user groups may have existed prior to upgrading DLP.
Tomcat localhost log the following error occurs:
14 Aug 2013 14:00:00,130- Thread: 41 INFO [com.vontu.profiles.manager.InfoSourceIndexJob] Indexing InfoSource Job begin executing
14 Aug 2013 14:00:01,146- No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
14 Aug 2013 14:00:01,146- Thread: 41 SEVERE [com.vontu.profiles.manager.InfoSourceIndexCreator] Unexpected exception while creating exact data profile "companyname.com Source" version 18
org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=companyname.com,CN=MicrosoftDNS,CN=System,DC=na,DC=companyname,DC=com'
1. The specified group is in the wrong format and/or is an invalid LDAP object/entry
2. Group Directory is calling an object/entry that is no longer valid or specified in AD
LDAP Distinguished Name. LDAP v2 and LDAP v3 recognize the RFC 1779 and RFC 2247 naming conventions, which take the form cn=common name, ou=organizational unit, o=organization, c=country/region. Active Directory uses the domain component (dc) instead of o=organization and does not support c=country/region. The LDAP distinguished name, the relative distinguished names appear in order beginning at the left with the name of the leaf and ending at the right with the name of the root, as shown here:
2. Open each user group and locate bad entries as specified in the localhost log and additional similar entries
3. Remove the entries from the "Added Groups" field (and/or delete the user group entirely if necessary)
Note: To remove the user group make sure it is not being used in an existing policy. The user group indicates the policy or policies that use that group in the General Field of the user group configuration page: Used in Policy. After determining which policies need to be modified, do so accordingly, Open policy, go to the Groups tab, and remove the specified group. Once the user group have been removed from all linked policies then delete the user group.