Unable to remove LDAP user account from CA PAM
Article ID: 107749
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
An LDAP group had been imported to PAM. When the group was deleted, one of the users in the group remained behind in PAM w/o group association. Because it's an LDAP imported user, it cannot be deleted manually. There was no error when the user group was deleted.
Environment
Observed on PAM 3.1.1 but the same issue will appear on older PAM releases as well.
Cause
One user on the appliance has its "Email on Login" set to be the user which can't be removed from PAM .
Resolution
Remove the "Email on Login" references (screen shot below) for all users in the group before deleting the LDAP group.
Importing the same user LDAP group again will bring user back to PAM.
This issue has been fixed in the PAM 3.2 release. If one of the users in the LDAP group was configured as "Email on Login" for some other user, PAM will no longer delete the group and will show an error message similar to the following:
Error: PAM-UI-2404: Error deleting group. A user in the user group CN=Group Policy Creator Owners,CN=Users,DC=pam,DC=local could not be deleted, so the group was not deleted. See session logs for details.
Attachments
Feedback
Yes
No
Powered by
