Sometimes the refresh hangs and shows a popup error. PAM-CMN-1172: Your session has been terminated by an CA PAM administrator.
Other times if leave it running it's returning LDAP-0000. Error updating member CN=<CN of user>. PAM-CMN-0020: Error occurred trying to complete request (76). (This error also shows in Session Logs log.)
Release : 4.1.1 Build 181
The Phone number of the user in LDAP/AD is longer than 30 characters while the PAM database schema has a limit of 30 characters for the phone field.
When PAM tries to insert or update the user, the database returns an internal error that the data is too long for column 'phone' at row 1. This detailed information is not shown on the PAM UI, but can be seen by PAM Support in the system logs.
Use the session log messages to identify the affected users and check their phone setting in LDAP. In cases reported so far, the phone number had unneeded characters, such as additional space characters, and the length could be reduced to 30 characters or less in LDAP by removing those unneeded characters to resolve the problem.
If you have a use case where you really need more than 30 characters for this field, please raise an idea for a product enhancement on the ideation page and have your Broadcom account team reach out to PAM product management. To get a user into PAM, temporarily reduce the phone field to 30 characters or less, refresh the group and then restore the original phone number configuration. There will be user update errors during subsequent LDAP refreshes, but that should not prevent refresh of users that do not have this problem.