Symantec Privileged Access Management

 View Only
  • 1.  Not able to auto refresh the LDAP groups

    Posted Mar 31, 2020 02:24 AM
    Dear Team,

    We have configured LDAP in CAPAM and also many groups are imported from ActiveDirectory. We have  given 30 min time to auto refresh the LDAP groups.  It is happened previously since one year. but since one week it is not happening. We have checked the bind account password also. And it is working fine. We are able to connect LDAP from CAPAM console to import new groups. But auto refreshing only not working after the interval time. If we do refresh LDAP  group manually then it is working for some groups and some groups are failed to refresh. 

    Please find the attached catelina.log logs by debug mode we have generated. And also find the session logs error below.

    PAM-LDAP-0004: An exception ( [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:

    'OU=PAM,OU=Permission Groups,DC=ncellvendor,DC=net,DC=np'

    ] ) occurred while processing LDAP group CN=Pam User,OU=PAM,OU=Permission Groups,DC=ncellvendor,DC=net,DC=np. LDAP sync for this group will be aborted.



    CAPAM version: 3.2.6



    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    Putalisadak, KTM
    ------------------------------


  • 2.  RE: Not able to auto refresh the LDAP groups
    Best Answer

    Broadcom Employee
    Posted Mar 31, 2020 02:56 AM

    Hello Sudip,

     

    Possibly what you describe is due to known issues e.g.

     

    01346142

    DE416062

    The LDAP importer hangs and prevents group imports, and refreshes until a reboot.

    01242500

    DE394213

    An error occurs importing an LDAP group.

     

    which fixes are already included in the current product release.

     

    Note, PAM r3.2.x is going EOL by end of April hence we recommend you upgrade your PAM appliances accordingly.

     

    Should the issue remain, please do not hesitate to open a formal Support Case with us – provide us with the logs.bin file which will include relevant logs regarding the ldap import.

     

    Best Regards,

    Andreas

     






  • 3.  RE: Not able to auto refresh the LDAP groups

    Posted Apr 23, 2020 11:04 AM
    Hi 

    Does the above defects also impacts the deletion of users from PAM , we have deleted some users from LDAP but the same is not getting reflected in PAM.

    Any suggestions.


  • 4.  RE: Not able to auto refresh the LDAP groups

    Broadcom Employee
    Posted Apr 24, 2020 01:15 AM
    Hello Kanika Narang,

    If you are able to manually refresh the LDAP Groups in CA PAM, you should be able to see the uses which no longer exist in LDAP being deleted when the refresh completes.

    There are certain situations where the LDAP user is part of some User Groups or has some Group policy the LDAP user may not get deleted from CA PAM.

    In the past we did provide NCell with a User_Sync Patch, you can apply this patch again and then review the session logs to find out where the problem could be happening or the specific users.

    Next as mentioned by Andreas already, do plan for an upgrade to a supported CA PAM version as from today all 3.2.x releases will be EOS, and this would land you in a self service mode for assistance with issues for the 3.2.x versions. We would no further be developing any hot fixes or new features for 3.2.x releases including 3.2.7 

    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 5.  RE: Not able to auto refresh the LDAP groups

    Posted Apr 24, 2020 04:22 AM
    Thanks Reatesh for the response, yes we are planning to upgrade to the latest version, however for the time being can you help me with the link to download the Patch.


  • 6.  RE: Not able to auto refresh the LDAP groups

    Broadcom Employee
    Posted Apr 24, 2020 06:09 AM
    Hello Kanika Narang,

    You will need to open a support case so that we can share this user_sync patch to you.

    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------