User attributes imported from LDAP group is not synchronizing, when AD team changed the user attributes in AD. This is with special reference with the E-mail address field.

We have deleted the E-mail address of a user in AD, next we have done refreshing the group and also scheduled the interval to 60 mins. But sometimes we observed few attributes like mail ID is not sync with AD..!

Please suggest us any solution for the same.

Release : 4.x

In Active Directory providing an E-mail address is not mandatory while creating the user account and we as well implement the same in our code.

We don't update the email address, if it's null or an empty string. We do the same for first name and last name.

if (!(user.getLastName() == null || user.getLastName().trim().equals(""))) {
argus.put("lastName", user.getLastName());
}
if (!(user.getFirstName() == null || user.getFirstName().trim().equals(""))) {
argus.put("firstName", user.getFirstName());
}
if (!(user.getEmail() == null || user.getEmail().trim().equals(""))) {
argus.put("email", user.getEmail());
}

The product is working as expected per design.

The LDAP users can created with an blank E-mail address, the same users are imported in CA PAM with an blank E-mail address.

Once the E-mail is updated in the AD, the same details are updated in CA PAM. E-mail address can be modified in AD and the same will be reflected upon LDAP User Group Reresh in CA PAM.

The E-mail address in CA PAM can't be deleted even if this is deleted in AD, this is as per the product design. If there is an requirement to remove the E-mail of any user in AD, it's recommended to provide an dummy e-mail address that is not mapped to any user account.