LDAP sync runs for more than 24 hours. PAM-CMN-0628: An LDAP operation is in progress always shown on dashboard and PAM admin cannot refresh or add LDAP groups
search cancel

LDAP sync runs for more than 24 hours. PAM-CMN-0628: An LDAP operation is in progress always shown on dashboard and PAM admin cannot refresh or add LDAP groups

book

Article ID: 193520

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Sometimes when logging in to CA PAM and trying to carry out any LDAP operation, the process results in failure. At the same time, the dashboard shows a message indicating that "PAM-CMN-0628: An LDAP operation is in progress" 

The system stays in this state for a long time suggesting that a process may be hung. For as long as LDAP Sync is in progress but stuck, neither refreshes of existing device or user groups, nor import of new LDAP groups, is possible.

Cause

PAM launches a separate process to refresh LDAP groups at the time intervals configured on the Configuration > 3rd Party > LDAP page.

The same process is launched when a PAM Administrator tries to refresh an existing group or import a new group. PAM allows only one instance, so while an instance is running, the PAM administrator will not be able to do a refresh or import.

Resolution

If cluster cannot be restarted and/or primary site lead node (where LDAP import takes place) cannot be restarted either, please engage Broadcom Support so that they can access your system and correct the issue manually by killing the appropriate processes.

The LDAP refresh interval specified in the configuration page should be the time elapsed between synchronization processes after one synchronization finishes. However, as a preventive action, this LDAP refresh interval under the Third-Party options in Configuration may be increased to make sure no issue is causing successive LDAP refreshes to overlap each other.

Support can supply the PAM_SUPPORT_KILL_LDAP_IMPORT patch (open a case in support requesting it)

The PAM_SUPPORT_KILL_LDAP_IMPORT patch kills a hung LDAP process on a PAM server. This is intended for use when the PAM dashboard keeps showing the "PAM-CMN-0628: An LDAP operation is in progress." warning continuously for much longer than the expected duration of the LDAP refresh operations, while the session logs show no LDAP refresh activity, clear evidence that the LDAP refresh got hung.
210403-LDAP operation is in progress

Powered by Wolken Software