Data Loss Prevention

Team,

I recently had to upgrade to 11.6.2 to resolve an issue with User Group indexing where I was able to index one time but anything after that would fail. I upgraded to 11.6.2 and that part seems to be fixed. I am having another issue now with Group Directories after the upgrade. I can create a Group Directory back to AD successfully one time but any scheduled or manual index after that failed with an "LDAP error code 12". I don't have much experience on LDAP error codes but I've done some digging around and found that it has something to do with a "PagedResultsControl extension" within AD (Logs attached)

Does anyone know if this is related to Symantec or is this just simply an issue that I would have to deal with on the AD side?

Attachment(s)

logs.txt   3 KB 1 version

Tim,

This may be attributed to the actual source of the LDAP tree you have registered in the DLP console.

Try to start at the top fo the tree rather than going deepe. Also there might be an error, with on of the people in your AD groups. Take a look at the names you have in the DLP console. I have seen it where there is a bad user that is in the group that needs to be removed.

Can you create a new group based off the existing LDAP profile?

If this solves your questions please marked as solved.

Ronak

Ronak,

That does appear to be part of the issue. I was able to speak with our AD owner and they let me know that we have referrals setup and that our protect account does not use AD referrals by default. There are certain users that exist in the OU that DLP is targeting as a User Group that do not exist on that OU physically. Instead, that AD Server needs to refer to a secondary location and because of this, the query is killed.

I am now targetting specific OU's and everything is OK. I'm marking your response as the solution because technically the issue is due to the construction of AD.

Thank you!