The error message "PAM-CM-3431: Distinguished Name (DN) must be specified" may be encountered in more than one situation, here we would be looking at one such use case.

- The users are created in Active Directory
- The accounts are discovered using the "Discovery" option for Target Accounts
- Once these accounts are discovered, these are managed in CA PAM
- For some reason these accounts are deleted from Active Directory, but the same account is NOT deleted in CA PAM.
- The same user is created again the Active Directory and once again the Discovery job is executed and the accounts are discovered and managed.
- The problem happens, when the user in CA PAM is not deleted and only created in the Active Directory and when the password modification or verification is being attempted from CA PAM.

CA PAM: 4.1.6 / 4.1.7

This is a problem encountered due to the LDAP Object ID not being refreshed for the newly created user account.

Currently, this problem is being investigated by the product engineering team team. This would be fixed in the higher versions of CA PAM that would be released.