PAM Secondary Site nodes are not able to perform administrative tasks.
Then how does PAM Secondary Site node update LDAP PAM user password when the password is expired and user must change their password?
Release : 3.3
Component : PRIVILEGED ACCESS MANAGEMENT
By design you should be able to change password when you login to Secondary Site with expired password.
The Secondary Site PAM node will sent the request to the Primary Site with the user details and the user is updated and synchronized to Secondary Site node.
Now if you take a look at the Sessions Log at the Secondary Site node, the user logged in with correct old password and requires to change password.
This node will actually send a request to the Primary Site node to perform the update.
In the Primary Site node Sessions log you will find the following.
Once this is successful, the user information will be synchronized to the Secondary Site Node and you will be seeing "PAM-CMN-2742: My Info has been updated successfully, but your changes are pending."
As soon as the data has been synchornized, you will be logged in to PAM GUI.
If you are getting error while trying to update the expired password as below, this issue should be resolved in PAM 3.2.7 and 3.3.1.
If you are on PAM 3.3.2, please upgrade to PAM 3.3.3 to resolve this issue.