When using a CA LDAP on Top Secret master account to change other TSS account passwords, PAM is unable to rotate the master account password, even though the master account can change the passwords of regular accounts. The Tomcat log shows that the password was changed, but also that there was an error modifying the password:
javax.naming.NamingException: [LDAP: error code 80 - LDP2406E TSS error modifying tssacid(TSS7030I Password Changed)]; remaining name 'tssacid=XXXXXXXX,tssadmingrp=acids,host=YYYYYYY,o=xxxxxxx,c=us'
Release : 3.3.x. This could happen with any version of PAM supporting CA LDAP on Top Secret
Component : PRIVILEGED ACCESS MANAGEMENT
CA LDAP: 15.1. It might happen with CA LDAP 15.0. The port being used is 791.