You are seeing errors in the Enforce console under:
Under System -> Settings -> Directory Connections -> [connection name] -> Index and Replication Status
This may cause AD-based group rules/exceptions to not work correctly
Info localhost log:
SEVERE [com.vontu.profiles.manager.directoryconnection.UserGroupEntryReaderCreator] Unable to retrieve the following directory group entry: cn=cn1,ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2
org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
An object is being searched for with an exact query for example:
If the object has been moved or deleted, the AD query no longer resolves and the objects will have a red cross against them in group details:
The solution involves two steps:
A) Eliminate the bad references in the User Groups:
Find the groups which have warning signs by them such as the examples below:
Resolve the issue by searching for and removing incorrect users/groups in AD and re-adding the correct ones (if needed verify it with your AD team).
Reinitiate indexing (enable schedule for indexing or wait for next scheduled timeframe) to verify are no errors when creating the new index.
B) Add an error threshold, so a new version of the index will still be created, even if there are some unresolved items. NOTE: This option should be used if you are seeing consistent numbers of unresolved items that you are unable to eliminate with step A.
Open two properties for customer modification in the Indexer.properties. These are existing properties. Related functionality was tested.
# The percentage of corrupted and ignored records allowed for active directory index com.vontu.profiles.directoryconnection.index.corruption.error.threshold=0
In rare circumstances, the LDAP request returns an active directory record that indexing logic cannot process and breaks the index, so a threshold value was implemented to ignore such cases.
# Number of attempts to reconnect to active directory service com.vontu.profiles.directoryconnection.reconnect.retries=0
The Enforce LDAP client may drop the connection in the middle of indexing resulting in a rejected index. As indexing can take hours, a reconnection logic was implemented so the indexer reconnects the number of times specified in the property before terminating.
Subscribing will provide email updates when this Article is updated. Login is required.