Support can supply the PAM_SUPPORT_KILL_LDAP_IMPORT patch.

The PAM_SUPPORT_KILL_LDAP_IMPORT patch kills a hung LDAP process on a PAM server. This is intended for use when the PAM dashboard keeps showing the "PAM-CMN-0628: An LDAP operation is in progress." warning continuously for much longer than the expected duration of the LDAP refresh operations, while the session logs show no LDAP refresh activity, clear evidence that the LDAP refresh got hung.

In a cluster environment, all primary nodes may show the dashboard message to PAM admins, but the first node in the primary site is traditionally the one running the LDAP refresh and the one the patch would have to be applied to.  However you can confirm this by going into the session logs of each server and look for LDAP messages.  While the LDAP refresh works, you should see LDAP group refresh messages in the session logs of that node.

The patch is applied from the Configuration > Upgrade page, like any other hotfix or maintenance release patch.
Note that any patch application starts with PAM taking a database backup. For a large database this can take some time, even though the patch itself takes minimal time to run. If you need to apply the patch repeatedly, you will want to clean up those additional DB backup files from the Configuration > Database page.
Once the patch is applied, check the session log for a message like

PAM_SUPPORT_KILL_LDAP_REFRESH - killed 1 ldap importer processes