CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 27th February 2016
Issue
With PAM v2.7, LDAP group import failed with java.lang.ArrayIndexOutOfBoundsException, if base DN is not associated with domain component (dc) attributes.
== LDAPImport0.log ==
<record>
<date>2016-11-09T23:33:16</date>
<millis>1478734396161</millis>
<sequence>18</sequence>
<logger>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</logger>
<level>SEVERE</level>
<class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
<method>importLDAPGroupMember</method>
<thread>10</thread>
<message>Exception occurred while importing LDAP member</message>
<exception>
<message>java.lang.ArrayIndexOutOfBoundsException: 1</message>
<frame>
<class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
<method>importLDAPGroupMember</method>
<line>42</line>
</frame>
<frame>
<class>com.xceedium.gatekeeper.ldapSink.DatabaseLDAPDataSink</class>
<method>run</method>
<line>299</line>
</frame>
<frame>
<class>com.xceedium.gatekeeper.ldapSink.ServiceLDAPDataSink</class>
<method>run</method>
<line>19</line>
</frame>
<frame>
<class>java.lang.Thread</class>
<method>run</method>
</frame>
</exception>
</record>
Environment
PAM: 2.7
User Directory: CA Directory R12 SP18
Cause
PAM is looking up LDAP member with domain component (dc) attribute. Hence, exception is returned when we attempt to import LDAP group members from LDAP instance with base DN of “o=Democorp,c=au”.
Resolution
Workaround
Use LDAP instance with domain component (dc) attributes as its base DN.
The issue is not observed with earlier releases of PAM e.g: PAM v2.5 and v2.6