A new target account for an ACF2 server was created and can verify its password successfully, but the following error occurs when trying to generate a new password.
PAM-CM-0758: Failed to synchronize password with target. If this problem persists then please ask your Administrator to investigate.
In the Tomcat logs, the following error occurs.
Feb 11, 2022 12:12:12 PM com.cloakware.cspm.server.app.impl.UpdateTargetAccountCmd invoke
SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 80 - LDP0403E Modify unknown error for(userPassword), value(#####)]
javax.naming.NamingException: [LDAP: error code 80 - LDP0403E Modify unknown error for(userPassword), value(#####)]; remaining name 'acf2lid=lidname,acf2admingrp=grpname,host=hostname,o=oname,c=cname'
On the ACF2 server, there was a setting called PSWDSIM enabled. This setting is a password similarity check and when it is enabled, ACF2 will ask for the old password before the new password. Since PAM only sends the new password, it was failing.
When PSWDSIM was removed on the ACF2 server, PAM was able to rotate the password successfully.