PAM LDAP Refresh Does Not Remove Deleted Users
Article ID: 216198
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
LDAP users which have been deleted still remain in the PAM UI for some LDAP groups. Manually refreshing the LDAP group deletes the users, but the automatic LDAP refresh does not delete the users.
In the Session Logs, the LDAP refresh mentions devices rather than users for that group.
LDAP Group:
PAM Group:
Environment
Privileged Access Manager 3.4.x
Cause
The issue is occurring because there is an empty LDAP Device Group of the same name in PAM. This group may have been accidentally imported through the CSV or through a user clicking IMPORT LDAP GROUPS on the device groups page thinking it was the user groups page.
Resolution
To fix the issue, delete the LDAP device group and let the LDAP refresh run again. It will now refresh the LDAP user group properly.
Attachments
Feedback
Yes
No
Powered by
