On 18.104.22.168 physical clustered appliances:
a client recently discovered an issue with LDAP user-group refresh not working when a member has changed.
in this particular case, a user was a member of an LDAP group, which had been imported/synced, without issue at some point in the past. This user's account, however, was recently changed.
We have confirmed that the user's CN had been renamed. The AD User object had remained the same, but the CN, upn, mail seemed to have been updated.
When refreshing the LDAP user-group we an error and a warning - it's the warning that first led us to believe that the CN was renamed.
NOTE: that the DN for these objects is exactly the same, except for the CN portion.
Moreover, the object is a member of multiple PAM Groups twice (once with the old CN name and once with the new CN name). The old CN name entry doesn't seem to want to drop out, although it doesn't exist in LDAP anymore.
Is this a known issue?
how do we fix this?
This issue was resolved following this procedure: