Refresh of LDAP groups is failing

book

Article ID: 4928

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

When I select the refresh LDAP button in Users:Manage Groups, the synchronization fails by showing

Message error 2011 (user is not updated)

or  that a user was moved to another user. 

 

This is failing for users that start with the same name before a comma in the Distinguished Name in the AD, for e.g.:

CN=Smith\, John,OU=Users,DC=ca,DC=com

CN=Smith\, Michael,OU=Users,DC=ca,DC=com

 

If these users are already imported upon refresh in PAM the update failure error is seen.

This is causing that some users that are member of a group in AD are not imported in PAM.

Following the example, 

If user CN=Smith\, John,OU=Users,DC=ca,DC=com is member of CN=Windows Admin,OU=Users,DC=ca,DC=com and  user CN=Smith\, Michael,OU=Users,DC=ca,DC=com is member of CN=Linux Admin,OU=Users,DC=ca,DC=com.

If I select to refresh the LDAP in PAM, then probably the system might delete or add a user for eg the user CN=Smith\, John,OU=Users,DC=ca,DC=com to the group CN=Linux Admin,OU=Users,DC=ca,DC=com in PAM and remove it from CN=Windows Admin,OU=Users,DC=ca,DC=com.

However if I check on the AD, the users are in the expected groups.

Cause

Issue is appearing for users with commas in the CN name while the accounts are similar.

Environment

It has been detected in Release 2.7 and 2.8

Resolution

A patch has been created to fix this issue. You find the fix for download on the PAM support page:

https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/technical-document-index/ca-privileged-access-manager-solutions-patches.html

 

Release 2.7: CAPAM_2.7.0.07.p.zip

Release 2.8: CAPAM_2.8.1.p.zip