eDirectory Agent: An incorrect policy is being assigned to users

Using eDirectory Agent | Web Protection Solutions | v8.2.x, v8.3.x | 29-Apr-2022

This issue can occur when:

eDirectory Agent is not receiving the user name

The eDirectory root context is defined incorrectly

eDirectory Agent is running on Linux, and NMAS is enabled

eDirectory Agent is not receiving the user name

User requests may not be handled by the correct policy if the user name is not being passed to eDirectory Agent. If a user does not log on to Novell eDirectory server, eDirectory Agent cannot detect the logon. This happens because:

A user logs on to a domain that is not included in the default root context for eDirectory user logon sessions. This root context is specified during installation, and should match the root context specified for Novell eDirectory on the Settings > Directory Services page.

A user tries to bypass a logon prompt to circumvent Forcepoint policy enforcement.

A user does not have an account set up in eDirectory server.

If a user does not log on to eDirectory server, user-specific policies cannot be applied to that user. Instead, the Default policy takes effect. If there are shared workstations in your network where users log on anonymously, apply a computer or network policy to those particular machines.

To determine whether eDirectory Agent is receiving a user name and identifying that user:

Activate eDirectory Agent logging (see Enabling eDirectory Agent diagnostics).

Open the log file you have specified in a text editor.

Search for an entry corresponding to the user who is receiving the incorrect policy.

An entry like the following indicates that eDirectory Agent has identified a user:

WsUserData::WsUserData()
User: cn=Admin,o=novell (10.202.4.78)
WsUserData::~WsUserData()

In the example above, the user Admin logged on to eDirectory server, and was identified successfully.

If a user is being identified, but is still receiving the expected policy, check your policy configuration to verify that the appropriate policy is applied to that user, and that the user name in the Forcepoint Security Manager corresponds to the user name in Novell eDirectory.

If the user is not being identified, verify that:

The user has a Novell eDirectory account.

The user is logging on to a domain that is included in the default root context for eDirectory user logons.

The user is not bypassing a logon prompt.

The eDirectory root context is defined incorrectly

The root context set in the wsedir.ini file is different from the one set for eDirectory Agent in the Forcepoint Security Manager. In this case, although the user can be identified, your web protection software may not be able to apply the correct policy. The user's requests may be handled by a computer or network policy (if applicable), or by the Default policy.

If these root context values are different, a user can log on to two different trees or branches in Novell eDirectory server, and still be identified by eDirectory Agent. However, when Filtering Service determines the policy for this user, it uses the root context specified in the Forcepoint Security Manager to retrieve information. Filtering Service cannot determine the appropriate policy for a user logging into a Novell eDirectory tree or branch outside the specified root context.

Ensure that you are using the same user and the same root context in both the INI file and the Security Manager.

To verify the root context value in wsedir.ini:

On the eDirectory Agent machine, go to the bin directory (C:\Program Files\Websense\Web Security\bin or /opt/Websense/bin/, by default).

Open the wsedir.ini file in a text editor.

Verify the line

SearchBase=[DN]

Here, DN is the distinguished name of the eDirectory root context.

Save the file, and then restart eDirectory Agent to activate the changes.

eDirectory Agent is running on Linux, and NMAS is enabled

eDirectory Agent is running on Linux, and the Novell Modular Authentication Service (NMAS) is running when it should not be.

In order for eDirectory Agent to work properly on Linux, NMAS must be disabled in Novell eDirectory server. See your Novell documentation for instructions.