Incorrect Group Policy applies to ldap users when you create a Policy Group based on address pattern(s) rather than ldap entries
|Article:TECH94135|||||Created: 2009-01-22|||||Updated: 2012-08-01|||||Article URL http://www.symantec.com/docs/TECH94135|
You want to know the impact of using Policy Groups based on address pattern(s) if you are also using an LDAPSync Source.
You have added an LDAP Synchronization Source and configured one or more Policy Groups using address pattern(s) instead of entries from the LDAPSync Source. You notice that some policies configured under address pattern based Policy Group trigger incorrectly for users whose primary email addresses do not match the address pattern. The "Find User" feature shows the LDAP user belongs to one or more address pattern based Policy Groups.
This behavior is by design. You can not mix-and-match Policy Groups based on address patterns and Policy Groups based on ldap entries. When an LDAP Synchronization source is added to the Symantec Brightmail Gateway (SBG) Appliance, the Policy Engine component performs address resolution based on the complete LDAP entry for a user (including all its aliases and LDAP group and distribution list memberships) to evaluate the user's Policy Group membership. This means that if a Policy Group is configured with the address pattern *@sub-company.com, then address resolution for a user with primary email address of email@example.com and secondary email address of firstname.lastname@example.org will determine the user to be a member of that address pattern based Policy Group. Similarly, if the user has a primary email address of email@example.com and none of the secondary email addresses that match the address pattern, but is member of an LDAP distribution list that has an email address firstname.lastname@example.org, then the address resolution will determine even that user to be a member of the address pattern based Policy Group. This may be an unexpected behavior for your deployment.
If you are using an LDAPSync Source, you should not create Policy Groups based on address patterns. You should not mix-and-match Policy Groups based on address patterns and Policy Groups based on ldap entries. If you are using Policy Groups based on ldap entries, then you should not use Policy Groups based on address patterns. Similarly, If you want to use Policy Groups based on address patterns then do NOT configure an LDAPSync source and do NOT use Policy Groups based on ldap entries.
Article URL http://www.symantec.com/docs/TECH94135