PAM LDAP Refresh Does Not Remove Deleted Users
search cancel

PAM LDAP Refresh Does Not Remove Deleted Users


Article ID: 216198


Updated On:


CA Privileged Access Manager (PAM)


LDAP users which have been deleted still remain in the PAM UI for some LDAP groups. Manually refreshing the LDAP group deletes the users, but the automatic LDAP refresh does not delete the users.

In the Session Logs, the LDAP refresh mentions devices rather than users for that group.

LDAP Group:

PAM Group:


Privileged Access Manager 3.4.x


The issue is occurring because there is an empty LDAP Device Group of the same name in PAM. This group may have been accidentally imported through the CSV or through a user clicking IMPORT LDAP GROUPS on the device groups page thinking it was the user groups page.


To fix the issue, delete the LDAP device group and let the LDAP refresh run again. It will now refresh the LDAP user group properly.