Skip to main content
NetApp Knowledge Base

Why does a user account in Cloud InSights Workload Security Activity Forensics show up like ldap:domain.com:s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX?

Views:
679
Visibility:
Public
Votes:
1
Category:
cloud-insights
Specialty:
oci
Last Updated:

Applies to

  • Cloud Insights (CI)
  • Cloud Inights Workload Security

Answer

  • Even when a User Directory Collector is configured correctly to resolve users for a given domain, the User Profile or Activity Forensics entries within Cloud Insights Workload Security  may still be unable to resolve a user. These entries may appear with a name or username similar to ldap:domain.com:s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX.

    This is because the application fetches domain users based on the following query:

    "(&(objectCategory=person)(objectClass=user))"
     
  • If the objectCategory of the LDAP entity does not equal "person", then it will not be fetched by the application and subsequently won't be resolved. To check the objectCategory value for an entry, SSH into the agent and query the LDAP server for the user.

    Example:
    ldapsearch -o ldif-wrap=no -LLL -x -b "DC=domain,DC=com" -h ldap.domain.com -p 389 -D "CN=bindAccount,OU=Accounts,DC=domain,DC=com" -W "ObjectSID=s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX"
     
  • This will prompt for the bind account password, and then will return the entity data for the specified ObjectSID. Look for the objectCategory value to see if it is "person". If it isn't, then it will not be fetched by the User Directory Collector.
     
  • If the the LDAPS protocol is selected and only Unix user activity is being resolved, change the protocol of the collector to Active Directory and make sure the "uid" attribute is correctly mapped in the collector configuration. This will allow both Windows and Unix user activity resolved.

Additional Information

For computer and service accounts the objectCategory of the LDAP entity does not equal "person", therefore these SID's will not resolve.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.