Symantec Privileged Access Management

 View Only
  • 1.  PAM-CMN-0628: An LDAP operation is in progress is stuck several days ago and restart does not work

    Posted Dec 04, 2020 07:26 AM
    Edited by Adolfo Navarro Dec 04, 2020 07:30 AM
    Hello!!

    What is the maximum number of users in an LDAP group that CA PAM can refresh without getting stuck. For example, a customer has an LDAP group of more than 1000 users and the process stuck and took more than 2 hours to refresh the group and does not finish.
    We had to restart the CA PAM instance but the "An LDAP operation is in progress." is persistent. What do we do! A case was opened to support and they do not offer an optimal answer, they only recommend us to review the information at: https://knowledge.broadcom.com/external/article?articleId=115357. The information shared by Broadcom was reviewed before the case was created, for that reason the case was opened and this was discussed in the case description.

    The situation is a high priority for the customer as they need to refresh the LDAP group for new users who need to enter CA PAM and there are Access Policies configured to this LDAP group within CA PAM.

    CA PAM Version 3.3.1.203.

    Please does anyone have any suggestions. Thank you!

    Adolfo.

    ------------------------------
    Senior IT Consultant
    eSoft Colombia, s.a.s
    ------------------------------


  • 2.  RE: PAM-CMN-0628: An LDAP operation is in progress is stuck several days ago and restart does not work

    Broadcom Employee
    Posted Dec 20, 2020 07:49 AM

    Adolfo

    The document is correct. If you are not seeing messages for that ldap refresh which never ends then the LDAP Refresh process may simply be hung each time it attempts to refresh. Does this make sense? I suspect that there is some unhandled error from the LDAP which is not being reported by the refresh process. I would suggest removing the large group and first make sure the process works fine without that group. If that works you may want to look into how that group is defined to better understand the background error. There are several LDAP synchronization errors that are fix in later patches for CA PAM 3.3.x. I would suggest planning to upgrade to 3.3.5 which was recently released.

    Joe




  • 3.  RE: PAM-CMN-0628: An LDAP operation is in progress is stuck several days ago and restart does not work

    Posted Dec 20, 2020 08:35 AM
    Hi Josep,

    I had already done the tests you suggest before opening the case and creating this post, without positive results.

    Reviewing the LDAP group with the Active Directory administrator, he tells us that the group is the same as all the others that if they manage to refresh without problems, the only difference is that it has more than 1500 users.

    I made the decision to create a third node, join it to the cluster to be a member and have the KEK and replicate the same LDAP group structure including the group that fails to refresh. Then I detached it from the cluster and updated it to the latest version 3.4.2 which is the recommendation of the document (https://knowledge.broadcom.com/external/article?articleId=115357). The surprise is that all groups refresh correctly and quickly except the large group with more than 1500 users, the result is that the message remains stuck in the dashboard and does not allow more LDAP operations.

    It was uploaded the log.bin and session logs at case and the Broadcom technician downloaded a full VApp dump to send to product engineering for further analysis of the case.

    Thank you.

    Adolfo.






  • 4.  RE: PAM-CMN-0628: An LDAP operation is in progress is stuck several days ago and restart does not work

    Broadcom Employee
    Posted Dec 20, 2020 08:52 AM

    Adolfo

    Thank you for the update. Since development is reviewing please update this tread with the answer after you have received it.

    Joe