LDAP group refresh error

Document ID : KB000005030
Last Modified Date : 22/06/2018
Show Technical Document Details
Issue:

While refreshing an LDAP group,some users are getting the following error:

"Message 2089: Duplicate Password Authority username %s".
or
"PAM-CMN-1810 = Duplicate Password Authority username {0}. User not added"

Environment:
All PAM Releases
Cause:

Typically this means that the related user object is not properly defined or synchronized in the various PAM internal databases for whatever reason. PAM keeps separate databases for access and for credential management, so it may happen that for whatever reason, one of them becomes unsynchronized from the other, leading to some objects being inconsistent in both databases (e.g. an account that exists at access, but there is no reference to it in credential management).

 

Resolution:

Contact CA Support which will provide you a patch to synchronize PAM databases, XS_USR_SYNC.a.bin

Please apply it to the PAM appliance using the upload feature in the Upgrade menu of the CA PAM UI.

Once applied its scripts launch immediately and sync the databases. Should there be the need to rerun this script the patch has to be reapplied.

A Cluster needs to be stopped first, then apply the fix on the Primary node only. Once done restart the Cluster, which copies over the fixed databases to all the other nodes.

It is recommended to perform the operation at off hours.

Note, there is not any rollback mechanism built into the patch and no guarantee can be given that it is fully resolving the issue.

Please take a backup of the CA PAM database or a snapshot of the entire VM in case it is necessary to go back.