Sometimes when logging in to CA PAM and trying to carry out any LDAP operation, the process results in failure. At the same time, the dashboard shows a message indicating that "PAM-CMN-0628: An LDAP operation is in progress" 

The system stays in this state for a long time suggesting that a process may be hung. For as long as LDAP Sync is in progress but stuck, neither refreshes of existing device or user groups, nor import of new LDAP groups, is possible.

CA Privileged Access Management versions up to 4.x

PAM launches a separate process to refresh LDAP groups at the time intervals configured on the Configuration > 3rd Party > LDAP page.

The same process is launched when a PAM Administrator tries to refresh an existing group or import a new group. PAM allows only one instance, so while an instance is running, the PAM administrator will not be able to do a refresh or import.

If cluster cannot be restarted and/or primary site lead node (where LDAP import takes place) cannot be restarted either, please engage Broadcom Support so that they can access your system and correct the issue manually by killing the appropriate processes.

The LDAP refresh interval specified in the configuration page should be the time elapsed between synchronization processes after one synchronization finishes. However, as a preventive action, this LDAP refresh interval under the Third-Party options in Configuration may be increased to make sure no issue is causing successive LDAP refreshes to overlap each other.

Additional scheduling options have been added in PAM version 4.1.6 , see "LDAP Synchronization Scheduling" in the "New Features in 4.1.6" section of the PAM manual online.