Unable to remove LDAP user account from CA PAM

book

Article ID: 107749

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

An LDAP group had been imported to PAM. When the group was deleted, one of the users in the group remained behind in PAM w/o group association. Because it's an LDAP imported user, it cannot be deleted manually. There was no error when the user group was deleted.

Cause

One user on the appliance has its "Email on Login" set to be the user which can't be removed from PAM .

Environment

Observed on PAM 3.1.1 but the same issue will appear on older PAM releases as well. 

Resolution


Remove the "Email on Login" references (screen shot below) for all users in the group before deleting the LDAP group. 
  


User-added image
Importing the same user LDAP group again will bring user back to PAM. 
This issue has been fixed in the PAM 3.2 release. If one of the users in the LDAP group was configured as "Email on Login" for some other user, PAM will no longer delete the group and will show an error message similar to the following:

Error: PAM-UI-2404: Error deleting group. A user in the user group CN=Group Policy Creator Owners,CN=Users,DC=pam,DC=local could not be deleted, so the group was not deleted. See session logs for details.

 

Attachments

1558698179802000107749_sktwi1f5rjvs16j8u.png get_app