Privileged Access Management (PAM) Admin has been noticing since they upgraded to PAM 4.2.2 that LDAP Target Accounts on one domain periodically fail.

However on their other domain, their LDAP Target Accounts are fine.

PAM 4.2.1 and 4.2.2

In our Tomcat logs, you will see the following error:

loginToActiveDirectoryServer Could not retrieve the UPN for targetAccount <TargetAccountName> exception: java.lang.NullPointerException.

In the lines above it, you will notice that the baseDN values are for a different LDAP Domain that you are managing with PAM -> therefore PAM is looking in the wrong domain for said user.

The issue is resolved as 36324704/DE635037 in the 4.2.3 release. If upgrading to 4.2.3 or higher is not an option at this time, please open a support case and reference this KB.