Why does a user account in Data Infrastructure Insights Workload Security Activity Forensics show up like ldap:domain.com:s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX?
Applies to
- Data Infrastructure Insights (DII) (formerly Cloud Insights)
- Data Infrastructure Insights (DII) (formerly Cloud Insights) Workload Security
Answer
- Even when a User Directory Collector is configured correctly to resolve users for a given domain, the User Profile or Activity Forensics entries within Data Infrastructure Insights Workload Security may still be unable to resolve a user. These entries may appear with a name or username similar to ldap:domain.com:s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX.
This is because the application fetches domain users based on the following query:
"(&(objectCategory=person)(objectClass=user))"
- If the objectCategory of the LDAP entity does not equal "person", then it will not be fetched by the application and subsequently won't be resolved. To check the objectCategory value for an entry, SSH into the agent and query the LDAP server for the user.
Example:
ldapsearch -o ldif-wrap=no -LLL -x -b "DC=domain,DC=com" -h ldap.domain.com -p 389 -D "CN=bindAccount,OU=Accounts,DC=domain,DC=com" -W "ObjectSID=s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX"
- This will prompt for the bind account password, and then will return the entity data for the specified ObjectSID. Look for the objectCategory value to see if it is "person". If it isn't, then it will not be fetched by the User Directory Collector.
- If the the LDAPS protocol is selected and only Unix user activity is being resolved, change the protocol of the collector to Active Directory and make sure the "uid" attribute is correctly mapped in the collector configuration. This will allow both Windows and Unix user activity resolved.
Additional Information
For computer and service accounts the objectCategory of the LDAP entity does not equal "person", therefore these SID's will not resolve.