After deleting a user group that had been imported from LDAP into PAM 3.1.1 an LDAP user is left behind in PAM without group membership, and we cannot remove it nor make it join a group even when importing the same group again. The session log shows a message like the following at the time the group was first deleted:
PAM-CMN-2272: User <name>@<domain> is not deleted from Password Authority. Error Message: PAM-CM-0688: The specified user is an email notifier of a password view policy and cannot be deleted. Cannot delete a password view policy email notifier.
The Credential Management component of PAM will not allow removal of users that are configured as approvers in a password view policy.
The problem is fixed in PAM 3.2 and on. In the new release, when the group is attempted to be deleted, the UI will show an error like:
Error: PAM-UI-2404: Error deleting group. A user in the user group CN=d2localgroup,CN=Users,DC=d2,DC=ca-pam,DC=net could not be deleted, so the group was not deleted. See session logs for details.
And in the session logs we can see:
PAM-CMN-2272: User email@example.com is not deleted from Password Authority. Error Message: PAM-CM-0678: The specified user is an approver of a password view policy and cannot be deleted. Cannot delete a password view policy approver.
PAM-CMN-1578: Unexpected result from deleting user group
At that point only the users with the approver role will remain in PAM and you have a chance to go to Credential management, remove the users from the password view policy as approvers, and try to delete the group again. Now it will succeed. If you do not delete the group, the next LDAP refresh will bring all other group members back into PAM.
If you experienced the problem with a release prior to 3.2, such as PAM 3.1.1, you would need to open a support case to have the entry cleaned up by PAM support.