search cancel

Trying to add a utility appliance to a utility group when it is already member of an LDAP device group fails with PAM-UTL-0019

book

Article ID: 243693

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Customer has created a PAM SC Utility Appliance (UA) which he is importing into PAM via an LDAP device group. As a next step he is trying to add it to the Utility Appliance group to use it with PAM 4.0.X, butt this does not work and this results in the following error message:

"PAM-UTL-0019: Rebalance of PAM SC Utility Appliance was not successful. The utility group now contains the appliances from before the change."

 

Environment

CA PAM release 4.0.X and 4.1.X

Cause

This follows from the regular behaviour of PAM: if the UA is not defined manually but through an LDAP Device group, it can only be removed from the group by removing it from the group in LDAP, then performing the import of the appliance.

Now as part of the operation, when the PAM appliance imported as part of a device group (say Linux) is added to the Utiity Group, PAM will attempt to delete it from the LDAP Group and add it back to it and to the UA group. This is not possible as- as stated before- LDAP devices cannot be added or deleted from LDAP groups directly in PAM. So this will always fail.

Resolution

As of the writing of this article, there is no way to achieve this: a UA can only be added locally. No LDAP device group may be used to add the UA to PAM. It may belong, however, to local groups other than the UA group