LDAP unable to delete user from LDAP group imported in CA PAM

book

Article ID: 205757

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Can the uses imported from LDAP, be deleted from CA PAM directly?

When attempting to delete the imported user the following error message appears in the CA PAM UI.

Error: PAM-UI-2401: Error deleting user. Users provisioned from LDAP may not be deleted directly, only by deleting their LDAP group.

Cause

Users imported into LDAP can't be deleted since the user is actually created in LDAP and it's merely imported in CA PAM.

After the users are imported into CA PAM only certain fields can be modified for the LDAP users.

Environment

Release : 3.3.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

If an LDAP user is to be deleted from CA PAM or from a group to which the user belongs, the action of removing/deleting the user needs to be done on the LDAP where the user is actually existing.

After the user is deleted from the LDAP, the action required in CA PAM is the refresh the LDAP group to which the user belongs. 

A refresh of the LDAP group will reflect the changes in CA PAM UI.

Attachments