LDAP group refresh error

book

Article ID: 5030

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

While refreshing an LDAP group,some users are getting the following error:

"Message 2089: Duplicate Password Authority username %s".
or
"PAM-CMN-1810 = Duplicate Password Authority username {0}. User not added"

Cause

Typically this means that the related user object is not properly defined or synchronized in the various PAM internal databases for whatever reason. PAM keeps separate databases for access and for credential management, so it may happen that for whatever reason, one of them becomes unsynchronized from the other, leading to some objects being inconsistent in both databases (e.g. an account that exists at access, but there is no reference to it in credential management).

 

Environment

All PAM Releases

Resolution

Contact CA Support which will provide you a patch to synchronize PAM databases, XS_USR_SYNC.a.bin

Please apply it to the PAM appliance using the upload feature in the Upgrade menu of the CA PAM UI.

Once applied its scripts launch immediately and sync the databases. Should there be the need to rerun this script the patch has to be reapplied.

A Cluster needs to be stopped first, then apply the fix on the Primary node only. Once done restart the Cluster, which copies over the fixed databases to all the other nodes.

It is recommended to perform the operation at off hours.

Note, there is not any rollback mechanism built into the patch and no guarantee can be given that it is fully resolving the issue.

Please take a backup of the CA PAM database or a snapshot of the entire VM in case it is necessary to go back.