search cancel

CA Identity Manager: PAM endpoint keeps forcing password changes

book

Article ID: 113549

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

When using a PAM endpoint above version 2.5, password changes in IM also force a password change in PAM itself. So the user logs into PAM and must change their password a second time. 

Environment

Identity Manager with PAM endpoints running PAM higher than 2.5. 

Cause

The root cause of this issue is latest versions of PAM (above 2.5), is expecting an extra attribute 'resetPasswordFlag' set to 't' or 'f' along with password update. If the value is not set and null then PAM is considering this attribute value as true and forcing the user to change the password on login after password change.

Resolution

The Identity Manager code has been adjusted to also send the password flag with password resets. This functionality is available in Identity Manager 14.2 CP2, please upgrade if this is impacting your system.