When LDAP user UPN updates, the username does not update
Article ID: 188727
Updated On:
Products
CA Privileged Access Manager (PAM)
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
When LDAP user UPN updates, the username does not update.
We have updated AD User UPNs to a new format but PAM does not recognize the new UPN as a valid User Name.
From inspection, the User Name is the originally sync'd UPN and will not change even if the user is removed and resync'd later on.
Environment
Release : 3.1.1
Component : PRIVILEGED ACCESS MANAGEMENT
Resolution
We relies for authentication over the Configuration -> 3rd Party -> LDAP
Click over Update the AD domain already configured.
Go to "Custom Field Mapping" tab to check both AD attributes:
- Subject Name = distinguishedName
- Subject AltName = userPrincipalName
Example values for user Mickey are in MS AD:
- distringuedname = CN=Mickey Mouse,OU=pam,DC=ADIdentity,DC=com
- userPrincipalName = [email protected]
- sAMAccountName = MOUMI01
- When trying authenticate using one of this values in PAM Client can login with both information this is login successfully:
1. - UserName: MOUMI22 (The value for userPrincipalName)
- Authentication Type: LDAP
- Authentication OK
2. - UserName: MOUMI01 (The value for sAMAccountName)
- Autnentication Type: LDAP
- Authentication OK
3. Additionally to UPN it's necessary also to change distinguishedName in AD from "CN=Mickey Mouse,OU=pam,DC=ADIdentity,DC=com" to same than UPN: "CN=MOUMI22,OU=pam,DC=ADIdentity,DC=com" and do a new Group Refresh in CA PAM
In this way CA PAM will show same UPN and distinghishedName from MS AD the same.
Click over Update the AD domain already configured.
Go to "Custom Field Mapping" tab to check both AD attributes:
- Subject Name = distinguishedName
- Subject AltName = userPrincipalName
Example values for user Mickey are in MS AD:
- distringuedname = CN=Mickey Mouse,OU=pam,DC=ADIdentity,DC=com
- userPrincipalName = [email protected]
- sAMAccountName = MOUMI01
- When trying authenticate using one of this values in PAM Client can login with both information this is login successfully:
1. - UserName: MOUMI22 (The value for userPrincipalName)
- Authentication Type: LDAP
- Authentication OK
2. - UserName: MOUMI01 (The value for sAMAccountName)
- Autnentication Type: LDAP
- Authentication OK
3. Additionally to UPN it's necessary also to change distinguishedName in AD from "CN=Mickey Mouse,OU=pam,DC=ADIdentity,DC=com" to same than UPN: "CN=MOUMI22,OU=pam,DC=ADIdentity,DC=com" and do a new Group Refresh in CA PAM
In this way CA PAM will show same UPN and distinghishedName from MS AD the same.
Feedback
Yes
No
Powered by
