Unable to remove LDAP user account from CA PAM

Document ID : KB000107749
Last Modified Date : 02/08/2018
Show Technical Document Details
Issue:
An LDAP group had been imported to PAM. When the group was deleted, one of the users in the group remained behind in PAM w/o group association. Because it's an LDAP imported user, it cannot be deleted manually. There was no error when the user group was deleted.
Environment:
Observed on PAM 3.1.1 but the same issue will appear on older PAM releases as well. 
Cause:
One user on the appliance has its "Email on Login" set to be the user which can't be removed from PAM .
Resolution:

Remove the "Email on Login" references (screen shot below) for all users in the group before deleting the LDAP group. 
  User-added image
Importing the same user LDAP group again will bring user back to PAM. 
This issue has been fixed in the PAM 3.2 release. If one of the users in the LDAP group was configured as "Email on Login" for some other user, PAM will no longer delete the group and will show an error message similar to the following:

Error: PAM-UI-2404: Error deleting group. A user in the user group CN=Group Policy Creator Owners,CN=Users,DC=pam,DC=local could not be deleted, so the group was not deleted. See session logs for details.