Running capam_command with an LDAP user results in error PAM-CM-0567: Failed to authenticate with the Password Authority service

search cancel

Running capam_command with an LDAP user results in error PAM-CM-0567: Failed to authenticate with the Password Authority service

book

Article ID: 259670

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to use capam_command with an ldap user to retrieve some data from CA PAM, for instance

capam_command capam=mypam.test [email protected] cmdName=getErrorCodes

results in error

PAM-CM-0567: Failed to authenticate with the Password Authority service.

However user myuser exists in LDAP and it has been correctly imported into CA PAM

Environment

CA PAM all active releases

Cause

Whenever importing a user from LDAP there are several attributes that get populated:

There is the sAMAccountName, User Principal Name (UPN) and Username.

In general the sAMAccountName may be coincidental with the Username, and also with the UPN, but in some other cases, like the one shown in this example, the three attributes may differ

The problem occurs because the reference to the user in the Password Authority part of the database- which is the one that the capam_command queries- references an attribute which differs from the Username or sAMAccountName(for instance in this case we can see that Username and sAMAccountName both reference user test1 or [email protected], but the UPN refers to [email protected]).

Resolution

In this case, trying the same command but using UPN may work

Attachments

Feedback

thumb_up Yes

thumb_down No