Need a user in multiple LDAP groups to use authorization type RSA instead of LDAP.

Document ID : KB000013053
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

We have multiple LDAP user groups imported into CA PAM. Some of those groups use authentication type LDAP, others use RSA. When we add a user who had been in groups with LDAP authentication to a group with RSA authentication, the user's authentication type remains LDAP. We would like to change it to RSA, but when we edit the user, we find that the authentication type cannot be updated.

Question:

How can we control which authentication type is used for a user who is in multiple imported groups using different authentication types?

Answer:

The authentication type cannot be changed for individual imported users, but it can be changed on the group level. To make sure all users in a group that was imported using a given authentication type will use this group's authentication type to logon to CA PAM, edit the group in CA PAM, temporarily change the authentication type to something else, save the change and then change it back to the desired type. This will update the authentication type for all users in the group. The periodic synchronization of imported groups will not change it.