Symantec Privileged Access Management

Expand all | Collapse all

CA PAM AD sync & licensing

Jump to Best Answer
  • 1.  CA PAM AD sync & licensing

    Posted 12-11-2017 10:25 AM

    Hello Team,


    Just a general questions about PAM:


    - How much time PAM takes to get synced with LDAP? How and when PAM gets synced with AD ? Where can we check these configs? And how to edit these settings. I have manually tried to refresh the LDAP group but getting error "ldap operation is in progress". 


    What actually triggers this questions is we have added one user in the AD group however it has not synced since last 5 days in our QA environment. And the same AD group is added to our Production environment also. However there it synced however after 3 days. Can anyone shed some light on this behavior.


    - How the license agreement of session management and paassword management works with PAM. Is it based on the number of devices we create?



  • 2.  Re: CA PAM AD sync & licensing
    Best Answer

    Broadcom Employee
    Posted 12-11-2017 11:13 AM

    Team V,


    Please, in the future, limit your entries to one question per thread.  And also let us know what version of CAPAM you are asking your questions about.


    Please see the following documentation for the setup and use of LDAP groups:  Import LDAP Groups - CA Privileged Access Manager - 3.0.2 - CA Technologies Documentation 


    LDAP is configured on Config/3rd Party/LDAP page where the AD server info is input and the Update Interval (minutes): input is located.  The update interval is when the refresh of that domain will take place.  So what we suggest is to set it for 1440 which is what we consider the default (24hrs).  How large the group is and traffic on the network and servers will determine how long the group refresh takes.  If you have multiple domains, you would need to make sure that they do not kick off at the same time as this can cause a slowdown of CAPAM.  To do that, you would need to update the refresh minutes after the amount of time that the first group finishes refreshing so there is no overlap.  If you have more domains, then you would need to do the same for all of them so that none of them overlap.

    If you get the message "ldap operation is in progress" then that is what is happening, the group is in the middle of refreshing and will not refresh again until it is finished.

    For the question about your refresh problem, in pre 2.8.4 there may be a problem with the refresh being broekn by a temporary network outage that was fixed in 2.8.4.  See the notes in our documentation: Resolved Issues in 2.8.4 - CA Privileged Access Manager - 2.8.4 - CA Technologies Documentation 


    The license uses licenses depending on what Access Targets (uses Access licenses) and what Target Accounts (uses Password licenses) are created.


    I hope this helps!


    Regards,  Anthony

  • 3.  Re: CA PAM AD sync & licensing

    Posted 12-12-2017 02:07 AM

    Thanks Manan for detail description. I will keep in mind your points. 


    PAM version is 2.8. 


    Update Interval in PAM-QA is 1440 minutes while in production PAM it is 60 minutes.


    What needs to be done to solve the AD sync issue now? We have just implemented PAM in our infra and don't want to upgrade it. 


    Any other options?




  • 4.  Re: CA PAM AD sync & licensing

    Broadcom Employee
    Posted 12-12-2017 10:02 AM



    If your production has a refresh of 60, that means that you will refresh all the groups every hour, and with QA at 1440, it will refresh every 24 hours.  Why is QA set to a different refresh time?  The short refresh time in Prod could be the reason for your problem, that there is an LDAP refresh already running; the groups may not be finished refreshing while you are trying to access, and the next refresh starts again before the first one finishes.  You would need to look in the Session Logs to see how long the whole sync for a domain takes and adjust the timing to give you more room for the resync.  If you have more than one domain, you need to know how long the refreshes take, stagger the sync by updating the first domain with a length of time that is past the full reysnc. Then at the point the first domain would finish the sync, you would update the second domain with an amount of time to start and finish so that it doesnt overlap and finishes before the next domain starts and so forth.  This could also be the cause of your AD issue as well :  

    00741778DE292790LDAP synchronization is no longer broken by a temporary network outage.

    The documentation notes what appears to be your problem with the AD sync also. If you feel that you cannot upgrade, and without knowing the exact cause of the problem, I cannot give you any other answers except to open a new case for the AD issue. The only way to verify that this is the true cause, would be to have a set of logs.bin from the Primary node.    Go to Config/Diagnostics and set Web Service Log Level  to "Debug" and LDAP Sync Log Level to "Verbose".  Reproduce the problem, on the Primary node, go to Config/Diagnostics/System Diagnostics/Download System Log Files.  Note the Date and Time and then create the new case, upload the Logs.bin file to the case and set the diagnostic settings back to their defaults.





  • 5.  Re: CA PAM AD sync & licensing

    Posted 12-13-2017 02:28 AM

    Thanks Anthony for the help. I got the root cause. 


    Actually, we are using the same AD group(for eg.: Group2) for both QA and PROD. There are currently very few users and PAM is taking just 2-3 secs to sync the group in PROD. Now I could see the sync logs in production every 60 minutes however not able to see any such logs in QA. Previously, we have integrated another AD group(Group1) with QA PAM, which contains 60000 users.  And then we changed the configurations of QA PAM to new PROD group(Group2) and removed the previous AD group(Group1). However I checked session logs today in QA but could not see any sync logs. So, I restarted the QA PAM appliance and now I can see sync happened in blink of an eye. Not sure why AD configurations where not reflected without restart in QA. As I have directly integrated Group2 with PROD PAM, so no issues faced. I think we need restart of PAM appliance, after changing AD configs.




  • 6.  Re: CA PAM AD sync & licensing

    Broadcom Employee
    Posted 12-13-2017 11:02 PM

    The problem caused by a temporary network outage while an LDAP sync is in progress that was mentioned by Anthony resulted in an orphaned stuck sync process that prevented any other LDAP sync, manual or automatic following the configured refresh interval, from running. A reboot will resolve this problem. But in general that is not needed when you reconfigure LDAP. In your case it may not have been a network outage that caused the problem, but some other communication problem that caused the sync to hang rather than abort. Possibly there is an issue if a sync is in progress while the integration is reconfigured. Whatever the cause, the latest patches include a fix to terminate any remaining sync processes when the connection to AD has to be reestablished because of a temporary connection loss or change in configuration, which should eliminate the need for a reboot.