Default behaviour of expired LDAP accounts in PAM
search cancel

Default behaviour of expired LDAP accounts in PAM


Article ID: 193532


Updated On:


CA Privileged Access Manager (PAM)


In CA PAM there is an option

Global setting > accounts > Remove Disabled After (Days) and “Disable Inactive After (Days)” 

This account works for local accounts. This article explains what happens in the case of LDAP accounts


CA PAM all versions


These settings do not affect the LDAP-imported users. 

If an LDAP user is expired or disabled, it will still be present in CA PAM and it won't be automatically removed from the product.

The reason for this is because operations for LDAP user addition, removal and refreshing are solely controlled by Active Directory. For as long as a user is present in an LDAP group being used in PAM in AD, the user will not be removed from CA PAM.

At the moment the user logs in, the authentication is delegated to AD, so in fact, if a user is disabled or expired in AD, access will not be granted, no matter whether the user is present in CA PAM or not.