ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Unix servers moved from one OU to another caused loss of all target applications and accounts

book

Article ID: 237848

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Unix servers were moved from one OU to another in AD.  We lost all Unix devices, target applications and accounts.  The automatic LDAP refresh deleted the entries and then created new ones.  All Unix servers are inaccessible now, because the target accounts used for auto-login are gone.

Cause

The automatic LDAP refresh processes one device group at a time. If the group that the devices used to belong to, but are no longer member of, is refreshed first, the devices, and all associated target applications and accounts, will be deleted. When the group that the devices moved to is refreshed, or possibly added as new group, later, the devices will be created new, but without target applications and accounts. Those will have to be created again.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

If you become aware of an upcoming movement of devices to other OUs, we recommend using the following procedure:

- Disable automatic LDAP refresh temporarily. This is done on the Configuration > 3rd Party > LDAP page, after editing the domain.

- Wait for the devices to be moved over. If there is a need to refresh other groups, or LDAP user groups, do it manually.

- Manually refresh the device group that the devices moved to: Devices > Manage Device Groups, select the new group and click on Refresh LDAP Groups. If the new group is not in PAM yet, use Import LDAP Groups.

- Verify that the devices now show as members of the old and the new device group. If not, stop here and engage PAM Support.

- Manually refresh the old device group. The devices should now disappear from that group, but remain in PAM because they are member of the new group already.

- Restore automatic LDAP refresh.