Changing LDAP Bind account host address in the PAM database
search cancel

Changing LDAP Bind account host address in the PAM database

book

Article ID: 242404

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Once you configure a device, target application and target account for LDAP integration and define an LDAP domain on the Configuration > 3rd Party > LDAP page you cannot change the address of the device using the PAM UI. The only option would be to delete the LDAP domain and create it new, but that would remove imported user and device groups, and any policies for them.

An alternative is to manually change the device address in the PAM database.

A use case is the configuration of a new AD load balancer that only connects to AD controllers in the same datacenter as the PAM servers, while the originally configured address was a global load balancer or traffic manager.

Cause

PAM blocks the address change to prevent administrators from inadvertently breaking the LDAP integration.

Resolution

If your environment allows PAM Support to access your PAM servers using SSH Remote Debugging Services, open a case with PAM Support to have the team look into assisting you with the address change w/o losing what you have configured already in PAM.