Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  Error with register ldap user groups - PAM 3.0.2

    Posted Jan 26, 2018 04:33 PM
      |   view attached

    Hi 

     

    I have the next error when y connect to active directory endpoint,select the groups to register but alway get this error how response "PAM LDAP 0025: LDAP group CN ... not found in domain".


    The account has been validate an working in other escenarios how rdp sessions and have permission to domain admin

    what is the posible cause?

     

    I working with PAM 3.0.2 .

     

    Attached error image

     

     

    Thanks



  • 2.  Re: Error with register ldap user groups - PAM 3.0.2
    Best Answer

    Posted Jan 26, 2018 05:25 PM

    Hi Julian.  Whenever there are problems refreshing, or importing, ldap groups a good tool to identify the cause are the system logs.  Go to the Config --> Diagnostic page and set the LDAP Sync Log Level to Verbose.  Reproduce the problem and download the System Log file, logs.bin.  The logs.bin will have to be reviewed by someone in Support, as the logs.bin contains a lot of internal information and is encrypted.  It would be best if you opened a ticket and attached the logs.bin created as described above.



  • 3.  Re: Error with register ldap user groups - PAM 3.0.2

    Posted Jan 27, 2018 03:29 PM

    Hi voged01

     

    I have opened the case with the requested inf, but while they are responding and out of curiosity, replicate the
    environment with 1 active directory and 2 PAM. One in version 2.8 and the other in version 3.0.2, replicate the process
    of importing the user groups and in version 2.8 the process was successful while in the 3.0.2 it presents
    the error "PAM-LDAP-0025: LDAP group .DNgroup ... not found in domain"


    Will be a fails in this version ?


  • 4.  Re: Error with register ldap user groups - PAM 3.0.2

    Broadcom Employee
    Posted Jan 26, 2018 06:23 PM

    Hi, If you are dealing with a single domain only, please follow Ed's advice. If you have multiple domains in a forest of trusted relationship, and the group belongs to a domain different from the one you configured in PAM, you should try using the global catalog ports 3268 or 3269 instead of 389 or 636.