Symantec Privileged Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

HOW TO: LDAP Refresh user groups, when AD user object's CN is renamed

  • 1.  HOW TO: LDAP Refresh user groups, when AD user object's CN is renamed

    Posted May 22, 2019 10:29 AM

    On 3.2.4.62 physical clustered appliances:

     

    a client recently discovered an issue with LDAP user-group refresh not working when a member has changed.

     

    in this particular case, a user was a member of an LDAP group, which had been imported/synced, without issue at some point in the past. This user's account, however, was recently changed.

     

    We have confirmed that the user's CN had been renamed. The AD User object had remained the same, but the CN, upn, mail seemed to have been updated.

     

    When refreshing the LDAP user-group we an error and a warning - it's the warning that first led us to believe that the CN was renamed.

     

    NOTE: that the DN for these objects is exactly the same, except for the CN portion.

     

    Moreover, the object is a member of multiple PAM Groups twice (once with the old CN name and once with the new  CN name). The old CN name entry doesn't seem to want to drop out, although it doesn't exist in LDAP anymore.

     

    Is this a known issue?

    how do we fix this?



  • 2.  Re: HOW TO: LDAP Refresh user groups, when AD user object's CN is renamed
    Best Answer

    Posted May 22, 2019 02:50 PM

    This issue was resolved following this procedure:

    1. In AD, remove the account object from all registered LDAP user groups (you can find this list from the User's Group tab)
    2. Refresh the LDAP groups in PAM (This step should remove both old and new account object - review the LDAP User Group's Users tab to confirm)
    3. Add the AD object back to the LDAP groups in AD
    4. Refresh LDAP groups again.