Tampering Detected During Manual LDAP Refresh
Article ID: 275736
Updated On:
Products
Issue/Introduction
After upgrading to 4.1.3 PAM, the following error occurs when running an LDAP refresh manually and the user is kicked out.
PAM-CMN-1172: Your session has been terminated by an CA PAM administrator.
The following is seen in the session logs at the time the user was kicked out.
PAM-CMN-1176: A potential tampering attempt has been detected, the end user's local system may be compromised. Session will be terminated.
This issue only happens on some appliances in the cluster.
Environment
Privileged Access Manager 4.1.3-4.1.5
Cause
LDAP refreshes only occur on the primary leader, so if it is initiated on another appliance in the cluster, that appliance will send a curl command for the primary leader to run the refresh. As of 4.1.3, a timeout value was added to the curl command in order to address another defect.
If the LDAP refresh takes longer than the timeout value, then this error will occur. However, the LDAP refresh will not be interrupted by this error, as evidenced by the "LDAP operation in progress" message on the dashboard.
Resolution
The development team is looking to address this behavior with a change to the LDAP refresh functionality, tentatively for the 4.1.6 and 4.2.0 releases.
As a workaround, please perform all manual LDAP refreshes on the primary leader. To determine which appliance is the primary leader, go to Configuration > Clustering and click the Status tab. The page will look similar to the following example.
Feedback
