PAM Session Logs Show NO_OBJECT Error During LDAP Refreshes
Article ID: 366818
Updated On:
Products
Issue/Introduction
When refreshing user or device groups in one Active Directory domain, the following error occurs for one or more groups every time the refresh happens.
PAM-LDAP-0004: An exception ( [LDAP: error code 32 - 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=...,OU=.....,DC=...,DC=...' ] ) occurred while processing LDAP group CN=...,OU=.....,DC=...,DC=.... LDAP sync for this group will be aborted.
Environment
Privileged Access Manager, all versions
Cause
The group was deleted from Active Directory, but still existed in PAM. This is expected behavior, PAM will not automatically delete an LDAP user or device group if it was deleted from Active Directory in order to preserve data within PAM in the event that a group was accidentally deleted in Active Directory, the domain controller was missing information, or other similar issues that could result in an incorrect NO_OBJECT error.
Resolution
Confirm that the group does need to be deleted, then go to the user/device groups page in PAM and manually delete that group. Please note if that group is the only one an LDAP user or device is a member of, then PAM will also delete that user or device. For a user, all access policies with the user will be deleted. For a device, all access policies, target applications, and target accounts associated with the device will also be deleted. If the user or device must remain in PAM and the group must be deleted, import a second LDAP group that the user or device is a member of before deleting the stale group from PAM.
Feedback
