PAM-CM-0226 Unable to add multiple LDAP configurations with different group object class

book

Article ID: 206027

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have a need to import two types of user groups from an LDAP server having different object classes. The group member attribute also is different for the two types of groups.

But when we try to add another LDAP configuration with different User Group Object Class and Group Member Attribute values, PAM rejects it with error:

PAM-CM-0226: LDAP Domain xxxx already exists.

Cause

PAM release as of Jan 2021 require unique domain names for LDAP configuration. The domain name is retrieved from the LDAP server after connecting to it using the chosen target account credentials and cannot be controlled with target server, application or account configuration.

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

PAM does not support this use case at present. For each LDAP domain only one user group object class and group member attribute is supported. Future PAM release may include an enhancement to allow configuration of multiple object class and member attribute pairs, but as of Jan 2021 this is not on the product roadmap. For now the only option is to change the schema on the LDAP server side so that all groups have a common object class and member attribute.