With PAM v2.7, LDAP group import failed with java.lang.ArrayIndexOutOfBoundsException, if base DN is not associated with domain component (dc) attributes.

== LDAPImport0.log ==

<record>
  <date>2016-11-09T23:33:16</date>
  <millis>1478734396161</millis>
  <sequence>18</sequence>
  <logger>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</logger>
  <level>SEVERE</level>
  <class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
  <method>importLDAPGroupMember</method>
  <thread>10</thread>
  <message>Exception occurred while importing LDAP member</message>
  <exception>
    <message>java.lang.ArrayIndexOutOfBoundsException: 1</message>
    <frame>
      <class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
      <method>importLDAPGroupMember</method>
      <line>42</line>
    </frame>
    <frame>
      <class>com.xceedium.gatekeeper.ldapSink.DatabaseLDAPDataSink</class>
      <method>run</method>
      <line>299</line>
    </frame>
    <frame>
      <class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
      <method>run</method>
      <line>19</line>
    </frame>
    <frame>
      <class>java.lang.Thread</class>
      <method>run</method>
    </frame>
  </exception>
</record>

PAM is looking up LDAP member with domain component (dc) attribute. Hence, exception is returned when we attempt to import LDAP group members from LDAP instance with base DN of “o=Democorp,c=au”.

PAM: 2.7User Directory: CA Directory R12 SP18

Defect is addressed with later patch release of PAM v2.7 -- CAPAM_2.7.0.06.p.zip

Workaround:

Use LDAP instance with domain component (dc) attributes as its base DN.

The issue is not observed with earlier releases of PAM e.g: PAM v2.5 and v2.6