Should we be concerned about frequent PAM-CMN-0628 messages on the dashboard?
search cancel

Should we be concerned about frequent PAM-CMN-0628 messages on the dashboard?

book

Article ID: 115357

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

When PAM administrators logon to PAM, they often see message "Warning: PAM-CMN-0628: An LDAP operation is in progress." near the top of the dashboard.

Does the PAM-CMN-0638 message suggest that there is a problem with PAM or the LDAP synchronization?

Environment

This applies to all PAM 3.X releases up to 3.3.4 and 3.4.1.

Cause

PAM launches a separate process to refresh LDAP groups at the time intervals configured on the Configuration > 3rd Party > LDAP page.

The same process is launched when a PAM Administrator tries to refresh an existing group or import a new group. PAM allows only one instance, so while an instance is running, the PAM administrator will not be able to do a refresh or import.

Resolution

In most cases this message is not a problem but correctly reporting an LDAP refresh operation in progress. The refresh interval for imported LDAP user groups is configured by the PAM Administrator in the LDAP configuration on the Configuration > 3rd Party > LDAP page. The refresh interval should be significantly larger than the duration of the refresh operation. To check how long the refresh operations take and whether they are performed and completed at the configured refresh interval, review the session logs:

- Go to page Sessions > Logs
- In the Column field, select "Details"
- In the Value field enter "LDAP"
- Click on the Filter button.
- Look for messages containing "LDAP connection made". This denotes the start of the LDAP refresh and should be followed by multiple messages containing "LDAP Group", one per imported LDAP user group.

The time interval between the "connection" message and the last "LDAP Group" message provides a rough estimate of the refresh task duration. There is some overhead at the beginning and end. If there is only a small time interval between the last "LDAP Group" message and the next LDAP connection, consider increasing the refresh time interval.
If you find no recent LDAP messages for more than the configured refresh interval, and you keep getting the PAM-CMN-0628 message on the dashboard, it would suggest a real refresh problem such as a hung process on the PAM appliance. In that case, please open a ticket with PAM support.

Note that in September 2020 a problem was identified that could cause the LDAP refresh to hang permanently. This problem should be fixed in 3.4.2 and later releases.

Powered by Wolken Software