Refresh of LDAP groups is failing
search cancel

Refresh of LDAP groups is failing


Article ID: 4928


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


When I select the refresh LDAP button in Users:Manage Groups, the synchronization fails by showing

Message error 2011 (user is not updated)

or  that a user was moved to another user. 


This is failing for users that start with the same name before a comma in the Distinguished Name in the AD, for e.g.:

CN=Smith\, John,OU=Users,DC=ca,DC=com

CN=Smith\, Michael,OU=Users,DC=ca,DC=com


If these users are already imported upon refresh in PAM the update failure error is seen.

This is causing that some users that are member of a group in AD are not imported in PAM.

Following the example, 

If user CN=Smith\, John,OU=Users,DC=ca,DC=com is member of CN=Windows Admin,OU=Users,DC=ca,DC=com and  user CN=Smith\, Michael,OU=Users,DC=ca,DC=com is member of CN=Linux Admin,OU=Users,DC=ca,DC=com.

If I select to refresh the LDAP in PAM, then probably the system might delete or add a user for eg the user CN=Smith\, John,OU=Users,DC=ca,DC=com to the group CN=Linux Admin,OU=Users,DC=ca,DC=com in PAM and remove it from CN=Windows Admin,OU=Users,DC=ca,DC=com.

However if I check on the AD, the users are in the expected groups.


It has been detected in Release 2.7 and 2.8


Issue is appearing for users with commas in the CN name while the accounts are similar.


A patch has been created to fix this issue. You find the fix for download on the PAM support page:


Release 2.7:

Release 2.8: