I noticed some Active Directory users are missing from PAM. Can someone tell me how I can have PAM update those automatically from AD? I'm hoping not to create those users manually.
Hi Bashir,
LDAP users are imported into PAM as members of LDAP groups. There is no import of individual users, only of groups. The imported groups are synchronized with LDAP per update interval configured for the LDAP domain on the Config > 3rd Party page. You can also do a manual refresh from the Users > Manage Groups page. If you have users in groups that were imported into PAM, and those users don't show up after the next LDAP refresh, please open a support case.
Thanks for the quick response Ralf. When I do manual refresh from the Users > Manage Groups page, I get the following message:
Status: Group Refreshed With Error(s)
Error adding user message 2050: Short name required for an LDAP provisioned user.
I was following this error and I found that a possible cause of this message was according the LDAP config.
Try to use TLS in the definition of AD device.If you use "sAMAccountName=" instead of "-sAMAccountName=" it's works ok, ( "-" is necessary in older version )
Hope to this be helpful.
Regards,
Celeste