Is it required to refresh LDAP users groups in PAM ?

Document ID : KB000117663
Last Modified Date : 17/10/2018
Show Technical Document Details
Question:
If a PAM user has policies configured and belongs to an LDAP group - then he is removed from this LDAP group, will he still succeed to use the target devices based on the unchanged policies?
Answer:
Please note, PAM's LDAP users are basically imported into the PAM userDB.

Hence, unless the LDAP group is not refreshed in PAM after modifications in the LDAP, nothing will change from a PAM perspective.

Once you refresh the LDAP group in PAM:
If the user e.g. left the LDAP-Group then the policies will basically become disabled.
If the user remains in the same LDAP-Group but changed its OU only the policies remain intact.

Note:
In addition to the explicit manual refresh of the LDAP group using the PAM UI, the LDAP group also auto refreshes based on the setting in the Configuration / 3rd Party / LDAP / Update Interval (minutes) field.
Additional Information:
Please see also
https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/provision-users-and-devices/provisioning-users/configure-user-groups/import-ldap-user-groups#ImportLDAPUserGroups-RefreshLDAPGroups

https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/configuring-your-server/authenticate-users-locally-or-remotely/how-to-set-up-ldap-servers-for-user-authentication#HowtoSetUpLDAPServersforUserAuthentication-IdentifytheLDAPServersinYourEnvironment