You are trying to get a previously imported LDAP group refreshed to add a new user in the group to PAM. There was no problem with the group refresh in the past, but now all refreshes of this group result in a session log message showing an error for new users, like

PAM-LDAP-0009: LDAP Group CN=<groupname>,OU=<ou>,DC=example,DC=com updated. 0 New Users, 0 Updated Users, 0 Deleted Users, 1 Failed New Users, 0 Failed Updated Users, 0 Failed Deleted Users, XX Users Retrieved From LDAP Directory Server

Other LDAP groups can be refreshed without problem.

Fixing the email address in Active Directory resolves this problem. The next group refresh will bring the user into PAM.

If a user got imported in the past successfully, but later on had its email address changed to an invalid string, the LDAP refresh messages will show failed updated users, similar to the following:

PAM-LDAP-0009: LDAP Group CN=<groupname>,OU=<ou>,DC=example,DC=com updated. 0 New Users, 0 Updated Users, 0 Deleted Users, 0 Failed New Users, 1 Failed Updated Users, 0 Failed Deleted Users, XX Users Retrieved From LDAP Directory Server

If an incorrect email address is the problem, the session log will have a message similar to the following, preceding the PAM-LDAP-0009 message:

PAM-CMN-2261: Password Authority failure to try to activate user <username>. Message: PAM-CM-0728: User email address is invalid..