An AIX Target server does not work with Default AIX Credentials Script due to customization at the OS level.
So the "Script Processor" has been updated to a known expression that worked in the past but still does not work.
There can be many reasons such as
1. The account used for changing the password has invalid password(unverified)
2. The account used for changing the password has insufficient privilege(sudo) to clear target account status(such as disabled).
3. The account used for changing the password do not have access to /usr/bin/passwd
Release : 3.x
Component : PRIVILEGED ACCESS MANAGEMENT
Check the tomcat catalina.out to better understand why the password rotation fails.
Following sample shows when the /usr/bin/passwd was not accessible due to misconfiguration of the account.
INFO: start executing the default UNIX credentials update script
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write
INFO: sent data 'passwd targetuser1
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: received data 'passwd targetuser1
adminuser1@unix:~> passwd targetuser1
bash: passwd: command not found
[email protected]:~> ' does NOT MATCH any of the pattern(s): '[(?si)(.*?password(\sfor|\sagain|:).*?)]'
This is an uncommon use case but it is important to check the catalina.out log to understand why the password change failed.
As you can see the "passwd" command returned "command not found".
And when PAM tried to find a pattern using the defined (original or custom) expression, there was no matching pattern for obvious reason.
System administrator should ensure the "adminuser1" will have access to /usr/bin/passwd to change other account password.