Failing to delete a LDAP user in PAM via LDAP refresh (User was deleted in AD)
search cancel

Failing to delete a LDAP user in PAM via LDAP refresh (User was deleted in AD)

book

Article ID: 248745

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to delete one LDAP user.  First, removed this user from  Active Directory group. Second, on performing a LDAP refresh the user did not get removed from PAM. This was unexpected.

Environment

Release : 4.0

Component :

Cause

The user has some Session Logs Reports customized in their profile preventing the user to be removed from PAM

Resolution

1 - Initially, ran the LDAP Group refresh several times but the user is not removed.

2 - Attempted to delete the user through the PAM User Interface and received the error below:

              "PAM-CMN-0277 - A provisioned user ldap must belong to at least one group."

3 - Shared PAM_USR_SYNC.p.bin patch with the client and then installed this patch twice in customer's PAM environment. Both times this message below was seen in the PAM's Session logs indicating that the Session Log reports are making the user busy and hence the user cannot be deleted:

"Unable to delete user <user CN> because it has custom report NAME_OF_THE_REPORTS_SPACE_SEPARATED_IF_MORE_THAN_ONCE assigned. Please delete the report and run the patch again."

4 - Deleted the reports called out in the Session==>Logs==>Reports===>Manage Reports menu;

5 - Ran the PAM_USR_SYNC.p.bin patch again and this time the user was successfully removed showing the following message in Session Logs below:

User <brokenuser@brokenuserdomain> was present in the access manager but not the credential manager. deleting.

Issue was deemed as  Resolved