search cancel

Inconsistent User/Group Listing with UNAB

book

Article ID: 201371

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

When UNAB is running, user authentication is sporadically failing. Users are authorized at the group level and when `uxconsole -manage -show -detail -user unabuser` is run, some of the user's groups are missing. After restarting UNAB, some times multiple times, the groups are listed again.

Cause

The inconsistent behavior indicates that there is an environmental issue causing UNAB to get different results when querying Active Directory. This was confirmed by using uxconsole to run LDAP queries to each of the domain controllers UNAB communicates with. On one of the DCs in the environment, the LDAP query could not find the specified group.

Sample output:

# uxconsole -krb -init -k > /dev/null
# cn= Sample-UNAB-Group
# uxconsole -ldap -search -d DomainController04 \(cn=$cn\)
CA ControlMinder UNAB uxconsole v12.81.0.3888 - console utility
Copyright (c) 2013 CA. All rights reserved.

Processing references ...
dn: ldap://fake.company.com/DC=fake,DC=company,DC=com
dn: ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
dn: ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com

No such entries

Environment

Unix Authentication Broker 12.8 and above

Resolution

In order to stabilize UNAB performance while the issue with the domain controller is reviewed, modify uxauth.ini and add the problem domain controller to the ignore_dc_list list. After making the modification, restart UNAB for the changes to take effect.

Additional Information

For more information on the uxconsole ldap command: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager-server-control/14-1/reference/utilities/uxconsole-utility-manage-unix-authentication-broker-endpoints/uxconsole-ldap-perform-ldap-queries-in-active-directory.html

For more information about the ignore_dc_list token in uxauth.ini: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager-server-control/14-1/reference/configuration-files/the-uxauth-ini-file/ad.html