Skip to main content

NetApp wins prestigious Coveo Relevance Pinnacle Award. Learn more!

INSIGHT Japan :2023年 1月25日(水)ANAインターコンチネンタルホテル開催 へ参加・申込を行う

NetApp Knowledge Base

Why does a user account in Cloud Secure Activity Forensics show up like ldap:domain.com:s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX?

Views:
242
Visibility:
Public
Votes:
0
Category:
cloud-insights
Specialty:
oci
Last Updated:

Applies to

  • Cloud Insights (CI)
  • Cloud Secure (CS)

Answer

Even when a User Directory Collector is configured correctly to resolve users for a given domain, the User Profile or Activity Forensics entries within Cloud Secure may still be unable to resolve a user. These entries may appear with a name or username similar to ldap:domain.com:s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX.

This is because the application fetches domain users based on the following query:

"(&(objectCategory=person)(objectClass=user))"

If the objectCategory of the LDAP entity does not equal "person", then it will not be fetched by the application and subsequently won't be resolved. To check the objectCategory value for an entry, SSH into the agent and query the LDAP server for the user.

Example:
ldapsearch -o ldif-wrap=no -LLL -x -b "DC=domain,DC=com" -h ldap.domain.com -p 389 -D "CN=bindAccount,OU=Accounts,DC=domain,DC=com" -W "ObjectSID=s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX"

This will prompt for the bind account password, and then will return the entity data for the specified ObjectSID. Look for the objectCategory value to see if it is "person". If it isn't, then it will not be fetched by the User Directory Collector.

Additional Information

For computer and service accounts the objectCategory of the LDAP entity does not equal "person", therefore these SID's will not resolve.

 

Scan to view the article on your device