LDAP group import failed

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

With PAM v2.7, LDAP group import failed with java.lang.ArrayIndexOutOfBoundsException, if base DN is not associated with domain component (dc) attributes.

== LDAPImport0.log ==

<record>
<date>2016-11-09T23:33:16</date>
<millis>1478734396161</millis>
<sequence>18</sequence>
<logger>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</logger>
<level>SEVERE</level>
<class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
<method>importLDAPGroupMember</method>
<thread>10</thread>
<message>Exception occurred while importing LDAP member</message>
<exception>
    <message>java.lang.ArrayIndexOutOfBoundsException: 1</message>
    <frame>
      <class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
      <method>importLDAPGroupMember</method>
      <line>42</line>
    </frame>
    <frame>
      <class>com.xceedium.gatekeeper.ldapSink.DatabaseLDAPDataSink</class>
      <method>run</method>
      <line>299</line>
    </frame>
    <frame>
      <class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
      <method>run</method>
      <line>19</line>
    </frame>
    <frame>
      <class>java.lang.Thread</class>
      <method>run</method>
    </frame>
</exception>
</record>

Cause

PAM is looking up LDAP member with domain component (dc) attribute. Hence, exception is returned when we attempt to import LDAP group members from LDAP instance with base DN of “o=Democorp,c=au”.

Environment

PAM: 2.7User Directory: CA Directory R12 SP18

Resolution

Defect is addressed with later patch release of PAM v2.7 -- CAPAM_2.7.0.06.p.zip

Additional Information

Workaround:

Use LDAP instance with domain component (dc) attributes as its base DN.

The issue is not observed with earlier releases of PAM e.g: PAM v2.5 and v2.6