Hello Kanika Narang,
If you are able to manually refresh the LDAP Groups in CA PAM, you should be able to see the uses which no longer exist in LDAP being deleted when the refresh completes.
There are certain situations where the LDAP user is part of some User Groups or has some Group policy the LDAP user may not get deleted from CA PAM.
In the past we did provide NCell with a User_Sync Patch, you can apply this patch again and then review the session logs to find out where the problem could be happening or the specific users.
Next as mentioned by Andreas already, do plan for an upgrade to a supported CA PAM version as from today all 3.2.x releases will be EOS, and this would land you in a self service mode for assistance with issues for the 3.2.x versions. We would no further be developing any hot fixes or new features for 3.2.x releases including 3.2.7
Thanks,
Reatesh.
------------------------------
Principal Support Engineer
Broadcom
------------------------------
Original Message:
Sent: 04-23-2020 10:21 AM
From: Kanika Narang
Subject: Not able to auto refresh the LDAP groups
Hi
Does the above defects also impacts the deletion of users from PAM , we have deleted some users from LDAP but the same is not getting reflected in PAM.
Any suggestions.
Original Message:
Sent: 03-31-2020 02:55 AM
From: Andreas Müller
Subject: Not able to auto refresh the LDAP groups
Hello Sudip,
Possibly what you describe is due to known issues e.g.
01346142 | DE416062 | The LDAP importer hangs and prevents group imports, and refreshes until a reboot. |
01242500 | DE394213 | An error occurs importing an LDAP group. |
which fixes are already included in the current product release.
Note, PAM r3.2.x is going EOL by end of April hence we recommend you upgrade your PAM appliances accordingly.
Should the issue remain, please do not hesitate to open a formal Support Case with us – provide us with the logs.bin file which will include relevant logs regarding the ldap import.
Best Regards,
Andreas
Original Message------
Dear Team,
We have configured LDAP in CAPAM and also many groups are imported from ActiveDirectory. We have given 30 min time to auto refresh the LDAP groups. It is happened previously since one year. but since one week it is not happening. We have checked the bind account password also. And it is working fine. We are able to connect LDAP from CAPAM console to import new groups. But auto refreshing only not working after the interval time. If we do refresh LDAP group manually then it is working for some groups and some groups are failed to refresh.
Please find the attached catelina.log logs by debug mode we have generated. And also find the session logs error below.
PAM-LDAP-0004: An exception ( [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=PAM,OU=Permission Groups,DC=ncellvendor,DC=net,DC=np'
] ) occurred while processing LDAP group CN=Pam User,OU=PAM,OU=Permission Groups,DC=ncellvendor,DC=net,DC=np. LDAP sync for this group will be aborted.
CAPAM version: 3.2.6
------------------------------
Network and security Engineer technical associative
Cas Trading House
Putalisadak, KTM
------------------------------