When trying to change a password for a user on a RACF system through PAM, user is getting error message:

ICH408I USER(USER001 ) GROUP(LDAPGRP )NAME(USER001    

  PARTIAL VIOLATION ON COMMANDALTUSER

Need to determine what command was issued.

Release : 3.3

Component : CA LDAP Server

Need to set the debug level in LDAP to CS. The command to do so is:

F ldapname,set,debug,CS

Then try to change the password. Change debug back to default:

F ldapname,set,debug,0

In the stderr.log you can find the command by searching for command=

For example, a stderr.log with output:

[10/22|15:01:34.225558|2739380000000003] (27A177EC)ra_Run_Command output: conn=1012 op=1 ppData[0]=(ICH21005I NOT AUTHORIZED TO SPECIFY PASSWORD/NOPASSWORD, OPERAND IGNORED.)
[10/22|15:01:34.225629|2739380000000003] (27A177EC)ra_Run_Command output: conn=1012 op=1 ppData[1]=(ICH21005I NOT AUTHORIZED TO SPECIFY NOEXPIRED, OPERAND IGNORED.)
[10/22|15:01:34.225656|2739380000000003] (27A177EC)ra_Run_Command: conn=1012 op=1 rows=2 user=ABCE command=ALTUSER EFGH PASSWORD(********) NOEXPIRE RESUME

Will show that user ABCE is issuing command 'ALTUSER EFGH PASSWORD(********) NOEXPIRE RESUME'

The response to that command is issued just before the command line:

ICH21005I NOT AUTHORIZED TO SPECIFY PASSWORD/NOPASSWORD, OPERAND IGNORED.

ICH21005I NOT AUTHORIZED TO SPECIFY NOEXPIRED, OPERAND IGNORED

In this case user ABCE  is trying to issue a command and does not have sufficient authority to specify the indicated operand.

Contact system administrator to get sufficient access to issue command(s).