We had multiple users complain that they could not access PAM anymore. When we checked on the last LDAP refresh, we saw that hundreds of users were deleted. There is no change in Active Directory, all those users are in the group still. A manual refresh later on restored the users, but all the policies were lost and needed to be recreated.

Release : 4.0-4.1.5

There was a problem with error processing in the middle of an LDAP group refresh that in rare cases could result in the refresh being interrupted without failing it. In that case PAM would refresh the group with the users processed prior to the error and remove all users that had not been retrieved yet.

PAM Engineering improved error processing to eliminate the possibility of refreshing a partially retrieved group. The fix will be available in 4.1.6+ and 4.2+. If you observe this problem at a lower release and an upgrade is not an option yet, please open a case with PAM Support.