I'm installing and configuring CA PAM here in our company for the first time. I followed all the steps in this page: Install the Domain Orchestrator - CA Process Automation - 4.3 - CA Technologies Documentation . However, after installing and running the service, I can't log in using the pamadmin user.
When I enter EEM selecting the Process Automation application, I see the following users in Manage identities page:
Our EEM is referencing users from external LDAP, so I think these users are not on LDAP Directory. But the Install Guide has no information about creating users or groups or domain rights on AD when user info is from external LDAP.
If you log in under the Process Automation context in EEM as EiamAdmin, you can add application groups to global users. Just you searched for PAMAdmin, search for a user that exists in the External LDAP directory (like yourself), then you can add the appropriate Application groups to that account. This will allow you to log into PAM
The issue was not letting new users to log into PAM, but these users that was not configurated properly... But I found out that someone already tried to install CA PAM here before, and these users may have not been removed. I think this was the cause of the conflict...
Your screen capture tells you the issue. Note that these four users are Orphaned Users. This is exactly because your EEM is configured to use an LDAP source (in this case AD). There are created in the EEM internal store but you are not using the EEM internal store but the LDAP source. As Benjamin recommended, identify a user (or create a new user) in your AD that you will use to administer your PAM. Add that user to the appropriate PAM groups.
I see... But the wizard shouldn't have created the users in LDAP?
Correct, PAM cannot create users in your directory. The pamadmin and other pam_* users can only be created if EEM is using the Internal user store.