Check the tomcat catalina.out to better understand why the password rotation fails.
Following sample shows when the /usr/bin/passwd was not accessible due to misconfiguration of the account.
INFO: start executing the default UNIX credentials update script
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write
INFO: sent data 'passwd targetuser1
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: received data 'passwd targetuser1adminuser1
@unix:~> passwd targetuser1bash: passwd: command not found[email protected]
:~> ' does NOT MATCH any of the pattern(s)
This is an uncommon use case but it is important to check the catalina.out log to understand why the password change failed.
As you can see the "passwd" command returned "command not found".
And when PAM tried to find a pattern using the defined (original or custom) expression, there was no matching pattern for obvious reason.
System administrator should ensure the "adminuser1" will have access to /usr/bin/passwd to change other account password.