CLI command to set or reset password synchronization
search cancel

CLI command to set or reset password synchronization

book

Article ID: 247497

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

I'm trying to use the CLI to reset the synchronization parameter on accounts but cannot get the syntax correct. I have made several attempts to find the solution in the documents without luck. See example commands and results below.

 

capam_command capam=myserver adminUserID=myaccount adminPassword=mypswd cmdName=updateTargetAccount TargetAccount.ID=8675309 TargetAccount.userName=pamaccount 
TargetAccount.synchronize=false
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>0</cr.statusCode>
<cr.statusDescription>Success. An invalid or unrecognized value is assigned to the &amp;apos;Attribute.protocol&amp;apos; parameter.</cr.statusDescription>
<cr.result></cr.result>
</CommandResult>

capam_command capam=myserver adminUserID=myaccount adminPassword=mypswd cmdName=updateTargetAccount TargetAccount.ID=8675309 TargetAccount.userName=pamaccount 
TargetAccount.synchronize=false Attribute.protocol=SSH2_PASSWORD_AUTH
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>5952</cr.statusCode>
<cr.statusDescription>PAM-CM-3488: Change process not specified.</cr.statusDescription>
<cr.result></cr.result>
</CommandResult>

capam_command capam=myserver adminUserID=myaccount adminPassword=mypswd cmdName=updateTargetAccount TargetAccount.ID=8675309 TargetAccount.userName=pamaccount 
TargetAccount.synchronize=false Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.passwordChangeMethod=DO_NOT_USE_SUDO
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>5952</cr.statusCode>
<cr.statusDescription>PAM-CM-3488: Change process not specified.</cr.statusDescription>
<cr.result></cr.result>
</CommandResult>

 

Environment

Release : 4.0

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

All attempts were missing parameter/attribute Attribute.useOtherAccountToChangePassword, which is a required attribute for UNIX target accounts.

Resolution

The following is an example of a working command:

cmdName=updateTargetAccount TargetAccount.ID=8675309 TargetAccount.userName=pamaccount TargetAccount.synchronize=true Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.passwordChangeMethod=DO_NOT_USE_SUDO Attribute.useOtherAccountToChangePassword=false

 

To find out what attributes are required for a given type of target account, go to PAM online documentation -> Implementing Credential Manager -> Identify Target Applications and Connectors -> Add a XXX Target Connector -> XXX Target Connector CLI Configuration. E.g. for the UNIX target connector you see target application and target account attributes on page UNIX Target Connector CLI Configuration. In the UNIX Target Account CLI Parameters section you will find that attribute useOtherAccountToChangePassword is required, as are some others. There also are a few attributes that may or may not be required, depending on the value of other attributes. E.g. Attribute.otherAccount would be required, if Attribute.useOtherAccountToChangePassword were set to true.