Default behaviour of expired LDAP accounts in PAM

book

Article ID: 193532

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

In CA PAM there is an option

Global setting > accounts > Remove Disabled After (Days) and “Disable Inactive After (Days)” 

This account works for local accounts. This article explains what happens in the case of LDAP accounts

Environment

CA PAM all versions

Resolution

These settings do not affect the LDAP-imported users. 

If an LDAP user is expired or disabled, it will still be present in CA PAM and it won't be automatically removed from the product.

The reason for this is because operations for LDAP user addition, removal and refreshing are solely controlled by Active Directory. For as long as a user is present in an LDAP group being used in PAM in AD, the user will not be removed from CA PAM.

At the moment the user logs in, the authentication is delegated to AD, so in fact, if a user is disabled or expired in AD, access will not be granted, no matter whether the user is present in CA PAM or not.