Refresh of LDAP groups is failing


Article ID: 4928


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)


When I select the refresh LDAP button in Users:Manage Groups, the synchronization fails by showing

Message error 2011 (user is not updated)

or  that a user was moved to another user. 


This is failing for users that start with the same name before a comma in the Distinguished Name in the AD, for e.g.:

CN=Smith\, John,OU=Users,DC=ca,DC=com

CN=Smith\, Michael,OU=Users,DC=ca,DC=com


If these users are already imported upon refresh in PAM the update failure error is seen.

This is causing that some users that are member of a group in AD are not imported in PAM.

Following the example, 

If user CN=Smith\, John,OU=Users,DC=ca,DC=com is member of CN=Windows Admin,OU=Users,DC=ca,DC=com and  user CN=Smith\, Michael,OU=Users,DC=ca,DC=com is member of CN=Linux Admin,OU=Users,DC=ca,DC=com.

If I select to refresh the LDAP in PAM, then probably the system might delete or add a user for eg the user CN=Smith\, John,OU=Users,DC=ca,DC=com to the group CN=Linux Admin,OU=Users,DC=ca,DC=com in PAM and remove it from CN=Windows Admin,OU=Users,DC=ca,DC=com.

However if I check on the AD, the users are in the expected groups.


Issue is appearing for users with commas in the CN name while the accounts are similar.


It has been detected in Release 2.7 and 2.8


A patch has been created to fix this issue. You find the fix for download on the PAM support page:


Release 2.7:

Release 2.8: