One of the ways DLP authenticates users is by querying the Active Directory servers configured in SmartConsole. If a legitimate user has multiple accounts on different AD servers, each account associated with a different password, the user may fail to authenticate. DLP validates the user according to the credentials supplied by the first AD server to respond. To help prevent this error, and decrease the load created by constantly querying all AD servers, you can define which AD servers DLP queries when:
To define AD servers Using GuiDBedit:
DLPSenderRealm
.ldap_au
container.The Add/Edit Element window opens.
On a network that contains ten AD servers, perhaps only two of them must be queried. Edit the list to include only the required AD servers.
Note - These AD servers must first be defined in SmartConsole. |
The Check Point database tool, GuiDBedit, has a number of properties that set default authentication values. These properties can be used in troubleshooting DLP related authentication issues. These objects are found under: GuiDBedit > Tables > Other > authentication_objects:
Object |
Description |
---|---|
|
Controls authentication for the DLP portal and the UserCheck agent. This object contains:
Use |
|
This object controls how DLP identifies users by querying the email address attribute in the Active Directory. Use this object to troubleshoot problems involving email look up in the Active directory. The
By default, it searches for the user with the specified email address. To refine the query, you can add other AD attributes to the query or change existing ones. WARNING: Changing this default query might affect DLP rules that enforce a policy according to users or user groups defined by access roles. Known users may become Unknown and the data they send is allowed to leave the organization. |
|
This object controls how DLP identifies users by querying the email address attribute in the database of internal users defined in SmartConsole. |