CA PAM policies and device access lost for many users
Article ID: 190637
CA Privileged Access Manager (PAM)
In the context of usage of LDAP or other external source of user or device groups it is not uncommon that policies for certain accounts go missing so that devices become inaccessible
Release : 3.2.X and 3.3.X
A possible cause for this problem may come from a momentary loss of connectivity to LDAP whenever a device or user group is regularly updated.
If there is a LDAP connection loss, CA PAM will fail to update the already existing device or user groups. For instance, it is possible to see messages like the following:
2020/04/28 14:12,__xcd_local__,system, --, --, --, --, --, --, --, --, --, --, --, --,"PAM-LDAP-0003: All servers to LDAP domain DC=amorg,DC=group are down. LDAP sync for group CN=PAM_GROUP1,OU=XD PAM,OU=PAM,OU=Universal Groups,OU=Groups,OU=Global,DC=xxx,DC=group will not be attempted.",0, --,,0 2020/04/28 14:12,__xcd_local__,system, --, --, --, --, --, --, --, --, --, --, --, --,"PAM-LDAP-0008: Updating LDAP Group CN=PAM_GROUP2,OU=XD PAM,OU=PAM,OU=Universal Groups,OU=Groups,OU=Global,DC=xxx,DC=group failed. Connection to all configured LDAP servers failed. 0 New Devices, 0 Updated Devices, 0 Deleted Devices, 0 Failed New Devices, 0 Failed Updated Devices, 0 Failed Deleted Devices, 0 Devices Retrieved From LDAP Directory Server",0, --,,0
which means that PAM was unable to retrieve any server or object from that LDAP server due to some kind of connectivity issue.
For consistency and security reasons, the PAM behaviour in these cases is to delete the corresponding LDAP device or user group. If such LDAP group is assigned to a policy, the policy may end up deleted or me incomplete, preventing access to users or devices.
There is no easy workaround for this, since this is working as such by design. If the problem is observed it's advised to reestablish connectivity to LDAP and refresh as soon as possible.