PAM-LDAP-0013 or PAM-LDAP-0000 Error When Trying to REFRESH LDAP GROUP in PAM

book

Article ID: 211724

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

I can reproduce the problem following below steps

Notes:
- pamadmin3 user has been imported from Active Directory (AD) "PAM Admins" group

1. Delete pamadmin3 user on AD

2. Run REFRESH LDAP GROUPS from PAM Admins group and I got the following error

PAM-LDAP-0013: Error occurred while removing deleted import data OU=PAM Admins,OU=PAMS,DC=pamidlab,DC=local
JSONObject["responseData"] is not a JSONObject.
[com.ca.xsuite.common.json.JSONObject.getJSONObject(JSONObject.java:503), com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink.removeDeletedMembers(ServiceLDAPDataSink.java:428), com.xceedium.gatekeeper.ldapSink.DatabaseLDAPDataSink.run(DatabaseLDAPDataSink.java:335), com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink.run(ServiceLDAPDataSink.java:27), java.lang.Thread.run(Thread.java:748)] PAM-LDAP-0013: Error occurred while removing deleted import data OU=PAM Admins,OU=PAMS,DC=pamidlab,DC=local
JSONObject["responseData"] is not a JSONObject.
[com.ca.xsuite.common.json.JSONObject.getJSONObject(JSONObject.java:503), com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink.removeDeletedMembers(ServiceLDAPDataSink.java:428), com.xceedium.gatekeeper.ldapSink.DatabaseLDAPDataSink.run(DatabaseLDAPDataSink.java:335), com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink.run(ServiceLDAPDataSink.java:27), java.lang.Thread.run(Thread.java:748)]

3. I recreate pamadmin3 user in AD and make sure it belongs to PAM Admins group

4. Run the REFRESH LDAP GROUP again for PAM Admins group and now I got the following error.

PAM-LDAP-0000: Error updating member CN=pamadmin3 admin,OU=PAM Admins,OU=PAMS,DC=pamidlab,DC=local 
PAM-CMN-0155: User CN=pamadmin3 admin,OU=PAM Admins,OU=PAMS,DC=pamidlab,DC=local was not updated.

Cause

The pamadmin3 user should have been deleted from PAM during the 1st REFRESH LDAP GROUP attempt, however PAM failed to delete due to Custom Report belongs to pamadmin3 exists. Please refer to Getting PAM-UI-2404 When Trying to Delete LDAP Group article for more other causes.

Environment

Release : 3.x

Resolution

Please raise a case with PAM Support as we need to SSH to PAM node and repair cspm.admin table for affected user(s). Please inform this KB article too, so PAM Support can look at this article internally.