search cancel

Unable to import users from OpenLDAP into CA PAM

book

Article ID: 202616

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are trying to import some users LDAP users by integrating OpenLDAP with CA PAM. 

The definition of the LDAP server is correct and connection works fine. The actual groups and their users thereis are actually correctly displayed in the LDAP Browser GUI when opening the "Import LDAP Group" from PAM.

However, trying to import users results in error 

PAM-LDAP-0025 LDAP Group ou=XXX, dc=XXX, dc=XXX not found in the domain

And the group is not imported

Environment

CA Privileges Access Management. All versions

Cause

There are several causes that may be causing this problem. The main one is covered in the following KB article

https://knowledge.broadcom.com/external/article?articleId=6505

Basically, it is necessary to make sure, to be able to work with OpenLDAP, that in the Configuration --> 3rd Party --> LDAP setting of PAM, the following two attributes are correctly set for connection to the LDAP server:

  • User Group Objectclass
  • Group Member Attr

For instance User Group Objectclass could be equal to GroupOfNames, and the Group Member Attr might be just member. This will all have to be determined by navigating to the group(s) that we want to import in OpenLDAP and finding out the names of these attributes are for them. These names are unique of each implementation, so obviously they need not be changed.

It may also happen, however, that this still does not help with making LDAP work to import some users, or simply that in a group some users are imported and some other are not. We may be getting errors like the following

So PAM-LDAP-0034, since it is not recognizing the actual users to import, even though the group attributes are correctly configured.

The reason for this error is the type of object class that the users imported to OpenLDAP are a member of. 

CA PAM follows the OpenLDAP implementation in what respects the type of allowed object classes to represent people. The OpenLDAP standard can be found in the following document

https://tools.ietf.org/html/rfc4519#section-3.12

And it states basically that the object class for people is person. Any object class not conforming to this standard to represent a user will not be accepted by the PAM LDAP import utility and will result in the error displayed, despite being visible in the LDAP Browser.

The present article concerns importing of user, but a similar situation would arise for other objects whose class were not the standard OpenLDAP expected one.

The reason why objects in OpenLDAP may not be conform to the standard is because may different integrations (for instance integration for NIS) contain their own Directory Schemas and create their own objects. The use case preented in the present document corresponds, for instance, to integration of NIS with OpenLDAP. It is not until this is corrected that the users will be able to be imported into CA PAM

Resolution

There is no solution to this from the point of view of the product. However, most third party implementations have the possibility of including the person attribute as part of the integration with OpenLDAP. See for instance  https://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6678-10/ldif.htm#1047767 for including the Person Class for People in NIS. The LDAP admin should be contacted in such cases to take the necessary steps.

Attachments