Is it required to refresh LDAP users groups in PAM ?
Article ID: 117663
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
If a PAM user has policies configured and belongs to an LDAP group - then he is removed from this LDAP group, will he still succeed to use the target devices based on the unchanged policies?
Environment
Release: All supported versions of CA PAM as of November 2023.
Component: CAPAM
Resolution
Please note, PAM's LDAP users are basically imported into the PAM userDB.
Hence, unless the LDAP group is not refreshed in PAM after modifications in the LDAP, nothing will change from a PAM perspective.
Once you refresh the LDAP group in PAM:
If the user e.g. left the LDAP-Group then the policies will basically become disabled.
If the user remains in the same LDAP-Group but changed its OU only the policies remain intact.
Note:
In addition to the explicit manual refresh of the LDAP group using the PAM UI, the LDAP group also auto refreshes based on the setting in the Configuration / 3rd Party / LDAP / Update Interval (minutes) field.
Hence, unless the LDAP group is not refreshed in PAM after modifications in the LDAP, nothing will change from a PAM perspective.
Once you refresh the LDAP group in PAM:
If the user e.g. left the LDAP-Group then the policies will basically become disabled.
If the user remains in the same LDAP-Group but changed its OU only the policies remain intact.
Note:
In addition to the explicit manual refresh of the LDAP group using the PAM UI, the LDAP group also auto refreshes based on the setting in the Configuration / 3rd Party / LDAP / Update Interval (minutes) field.
Additional Information
Feedback
Yes
No
Powered by
