In a CA PAM where users are configured to use LDAP authentication, authentication is taking a long time to occur, even though apparently all domain controller servers are active

CA PAM all major releases as of January 2022

PAM tries to log in using the list of LDAP/AD servers present in Configuration --> Third Pary -->LDAP --> Domain where users are defined This means PAM will try to use the first server in the list and, if this fails, go to the second one, then the third, etc.

This means that if PAM is trying to use one specific server and it cannot properly communicate with it, it will spend some time before it tries with the second one, and so on.

One of the limitations of the product, as of version 4.X is that the first servers in the list of LDAP/AD servers available to PAM cannot be moved down. So if there is a problem with that server, that will of course cause a delay.

There is not an easy solution for this, because moving the server to a lower priority situation would mean recreating the LDAP connection and making sure that that server is added in a different position.

One of the uses cases which may trigger communication problems is if the first server in the list is defined with two addresses, one of which is sitting in a subnet which has port 636 filtered from PAM. In this particular case, sometimes, if the server name resolves to an address in the subnet where port 636 is open, PAM will communicate and authenticate immediately, but if the server resolves to an address in the subnet where port 636 is filtered, it will have to wait until there is a timeout to try to use the next server in the list before it attempts to authenticate again, thus causing delays.

There is no unique resolution, but basically it is necessary to make sure that communication to the first server in the LDAP/AD server list under Configuration -> Third Party --> LDAP --> Domain where CA PAM user is defined has port 636 open (not filtered). If there are several IP and subnets resolving to the name of a given LDAP/AD server, make sure that the port is open in all subnets.

If it is necessary to decommission or move down the first LDAP/AD server in the LDAP/AD servers list, it will be necessary to redo the whole LDAP/AD configuration as the first server cannot be moved down.