LDAP authentication fails with error code -1 and string (:Unknown) in PAM

book

Article ID: 145589

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to log in to PAM using LDAP does not work. The following message is presented after some time of waiting

PAM-CMN-0979 LDAP authentication failed for user <LDAP user> with error code -1 and error string (:Unknown)

followed by

PAM-CMN-0900 Bad User ID or Password

however the LDAP server has been correctly configured under the 3rd Party section in Configuration of the PAM server

Cause

One of the possible causes of this problem may be that the DNS PAM is using to resolve the name of one or more of the LDAP servers configured in the LDAP option under 3rd Party in the Configuration menu of the PAM server. Since it fails to resolve the LDAP name to IP, it is unable to contact it to authenticate the user specified in the login page and it comes up with this error message

Environment

CA PAM all versions

Resolution

Please make sure that the LDAP servers specified under LDAP in Configuration/3rd Party are resolvable from PAM.
To this effect use the Tools Option under Configuration to make sure that the PAM server is able to resolve the name of the LDAP servers configured under 3rd Party/LDAP to their IP.
If the DNS configured for PAM is unable to resolve one or all of the LDAP servers configured under 3rd Party, make sure to add to PAM a DNS server which is able to resolve the LDAP servers. You can do that by editing the DNS entries under the Network Settings section of Configuration to add the desired DNS and restarting networking afterwards

Additional Information

20314985