Inconsistent User/Group Listing with UNAB
search cancel

Inconsistent User/Group Listing with UNAB


Article ID: 201371


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM)


When UNAB is running, user authentication is sporadically failing. Users are authorized at the group level and when `uxconsole -manage -show -detail -user unabuser` is run, some of the user's groups are missing. After restarting UNAB, some times multiple times, the groups are listed again.


Unix Authentication Broker 12.8 sp1 and above


The inconsistent behavior indicates that there is an environmental issue causing UNAB to get different results when querying Active Directory. This was confirmed by using uxconsole to run LDAP queries to each of the domain controllers UNAB communicates with. On one of the DCs in the environment, the LDAP query could not find the specified group.

Sample output:

# uxconsole -krb -init -k > /dev/null
# cn= Sample-UNAB-Group
# uxconsole -ldap -search -d DomainController04 \(cn=$cn\)
CA ControlMinder UNAB uxconsole v12.81.0.3888 - console utility
Copyright (c) 2013 CA. All rights reserved.

Processing references ...
dn: ldap://,DC=company,DC=com
dn: ldap://,DC=company,DC=com
dn: ldap://,DC=company,DC=com

No such entries


In order to stabilize UNAB performance while the issue with the domain controller is reviewed, modify uxauth.ini and add the problem domain controller to the ignore_dc_list list. After making the modification, restart UNAB for the changes to take effect.

Additional Information

For more information on the uxconsole ldap command:

For more information about the ignore_dc_list token in uxauth.ini: