search cancel

Cannot import OpenLDAP Users from posixgroup


Article ID: 113079


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


I cannot import OpenLDAP Users from LDAP server. 
The LDAP configuration is ok. The problem is when I try to import the LDAP Group. 

In the session logs it shows a message like this:
"The object class of the member is unrecognized: top,inetOrgPerson,posixAccount,evolutionPerson,sambaSamAccount"

Only one user was imported. 
The only difference that I saw is that this user has the objectClass attribute = "person"; while the other users not. 
Users are not imported even if the users have an object child  of "person".. 


Component: CAPAMX


The root cause is because the object class of the users in LDAP are not compatible with PAM.
PAM look specifically for object class "person". If that is not included in the object class list, the entry will not be imported as user. 


Customer will have to add the "person" class to the users.

Additional Information

I would also suggest to open an idea requesting to support other object classes instead of "person" only.

If this article didn't fix your issue then please open a case to Support and provide the following logs:
  1. If this is a cluster, login to the master of the primary node and setup the LDAP Sync log level to Verbose.
  2. Reproduce the error by importing the LDAP user group.
  3. Go to Config > Diagnostics and download the System Log Configuration (logs.bin) file.
  4. Rollbak the LDAP Sync log level to Normal.