Incorrect Group Policy applies to ldap users when you create a Policy Group based on address pattern(s) rather than ldap entries

Article:TECH94135  |  Created: 2009-01-22  |  Updated: 2012-08-01  |  Article URL http://www.symantec.com/docs/TECH94135
Article Type
Technical Solution

Product(s)

Issue



You want to know the impact of using Policy Groups based on address pattern(s) if you are also using an LDAPSync Source.


Symptoms
You have added an LDAP Synchronization Source and configured one or more Policy Groups using address pattern(s) instead of entries from the LDAPSync Source. You notice that some policies configured under address pattern based Policy Group trigger incorrectly for users whose primary email addresses do not match the address pattern. The "Find User" feature shows the LDAP user belongs to one or more address pattern based Policy Groups.
 


 


Cause



This behavior is by design. You can not mix-and-match Policy Groups based on address patterns and Policy Groups based on ldap entries. When an LDAP Synchronization source is added to the Symantec Brightmail Gateway (SBG) Appliance, the Policy Engine component performs address resolution based on the complete LDAP entry for a user (including all its aliases and LDAP group and distribution list memberships) to evaluate the user's Policy Group membership. This means that if a Policy Group is configured with the address pattern *@sub-company.com, then address resolution for a user with primary email address of user@company.com and secondary email address of user@sub-company.com will determine the user to be a member of that address pattern based Policy Group. Similarly, if the user has a primary email address of user@company.com and none of the secondary email addresses that match the address pattern, but is member of an LDAP distribution list that has an email address distributionlist@sub-company.com, then the address resolution will determine even that user to be a member of the address pattern based Policy Group. This may be an unexpected behavior for your deployment.


Solution



If you are using an LDAPSync Source, you should not create Policy Groups based on address patterns. You should not mix-and-match Policy Groups based on address patterns and Policy Groups based on ldap entries. If you are using Policy Groups based on ldap entries, then you should not use Policy Groups based on address patterns. Similarly, If you want to use Policy Groups based on address patterns then do NOT configure an LDAPSync source and do NOT use Policy Groups based on ldap entries.




Technical Information

 


 


Supplemental Materials

Value1675500

Legacy ID



2009052209425754


Article URL http://www.symantec.com/docs/TECH94135


Terms of use for this information are found in Legal Notices