search cancel

PAM LDAP Refresh Does Not Remove Deleted Users

book

Article ID: 216198

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

LDAP users which have been deleted still remain in the PAM UI for some LDAP groups. Manually refreshing the LDAP group deletes the users, but the automatic LDAP refresh does not delete the users.

In the Session Logs, the LDAP refresh mentions devices rather than users for that group.

LDAP Group:

PAM Group:

Environment

Privileged Access Manager 3.4.x

Cause

The issue is occurring because there is an empty LDAP Device Group of the same name in PAM. This group may have been accidentally imported through the CSV or through a user clicking IMPORT LDAP GROUPS on the device groups page thinking it was the user groups page.

Resolution

To fix the issue, delete the LDAP device group and let the LDAP refresh run again. It will now refresh the LDAP user group properly.

Attachments