LDAP sync runs for more than 24 hours. PAM-CMN-0628: An LDAP operation is in progress always shown on dashboard and PAM admin cannot refresh or add LDAP groups

book

Article ID: 193520

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Sometimes when logging in to CA PAM and trying to carry out any LDAP operation, the process results in failure. At the same time, the dashboard shows a message indicating that "PAM-CMN-0628: An LDAP operation is in progress" 

The system stays in this state for a long time suggesting that a process may be hung. For as long as LDAP Sync is in progress but stuck, neither refreshes of existing device or user groups, nor import of new LDAP groups, is possible.

Cause

PAM launches a separate process to refresh LDAP groups at the time intervals configured on the Configuration > 3rd Party > LDAP page.

The same process is launched when a PAM Administrator tries to refresh an existing group or import a new group. PAM allows only one instance, so while an instance is running, the PAM administrator will not be able to do a refresh or import.

In September 2020 a problem was identified that may cause the LDAP import/refresh process to hang. All releases supported as of September 2020, including the latest maintenance releases 3.4.1 and 3.3.4, are affected.

Environment

CA Privileged Access Management versions up to 3.3.4 and 3.4.1.

Resolution

If cluster cannot be restarted and/or primary site lead node (where LDAP import takes place) cannot be restarted either, please engage Broadcom Support so that they can access your system and correct the issue manually by killing the appropriate processes.

As a preventive action, in case this is caused by excessive LDAP synchronization time causing two successive processes to overlap, increase the LDAP refresh interval under the Third Party options in Configuration.

A problem that may cause the process to hang has been identified and will be fixed in 3.4.2 and later releases.