search cancel

When LDAP user UPN updates, the username does not update

book

Article ID: 188727

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

When LDAP user UPN updates, the username does not update.

We have updated AD User UPNs to a new format but PAM does not recognize the new UPN as a valid User Name.

From inspection, the User Name is the originally sync'd UPN and will not change even if the user is removed and resync'd later on.

Environment

Release : 3.1.1

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

We relies for authentication over the Configuration -> 3rd Party -> LDAP

Click over Update the AD domain already configured.

Go to "Custom Field Mapping" tab to check both AD attributes:

- Subject Name = distinguishedName
- Subject AltName = userPrincipalName

Example values for user Mickey are in MS AD:

- distringuedname = CN=Mickey Mouse,OU=pam,DC=ADIdentity,DC=com
- userPrincipalName = [email protected]
- sAMAccountName = MOUMI01

- When trying authenticate using one of this values in PAM Client can login with both information this is login successfully:

1. - UserName: MOUMI22 (The value for userPrincipalName)
- Authentication Type: LDAP
- Authentication OK

2. - UserName: MOUMI01 (The value for sAMAccountName)
- Autnentication Type: LDAP
- Authentication OK

3. Additionally to UPN it's necessary also to change distinguishedName in AD from "CN=Mickey Mouse,OU=pam,DC=ADIdentity,DC=com" to same than UPN: "CN=MOUMI22,OU=pam,DC=ADIdentity,DC=com" and do a new Group Refresh in CA PAM

In this way CA PAM will show same UPN and distinghishedName from MS AD the same.