I'm trying to use the CLI to reset the synchronization parameter on accounts but cannot get the syntax correct. I have made several attempts to find the solution in the documents without luck. See example commands and results below.
capam_command capam=myserver adminUserID=myaccount adminPassword=mypswd cmdName=updateTargetAccount TargetAccount.ID=8675309 TargetAccount.userName=pamaccount
TargetAccount.synchronize=false
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>0</cr.statusCode>
<cr.statusDescription>Success. An invalid or unrecognized value is assigned to the &apos;Attribute.protocol&apos; parameter.</cr.statusDescription>
<cr.result></cr.result>
</CommandResult>
capam_command capam=myserver adminUserID=myaccount adminPassword=mypswd cmdName=updateTargetAccount TargetAccount.ID=8675309 TargetAccount.userName=pamaccount
TargetAccount.synchronize=false Attribute.protocol=SSH2_PASSWORD_AUTH
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>5952</cr.statusCode>
<cr.statusDescription>PAM-CM-3488: Change process not specified.</cr.statusDescription>
<cr.result></cr.result>
</CommandResult>
capam_command capam=myserver adminUserID=myaccount adminPassword=mypswd cmdName=updateTargetAccount TargetAccount.ID=8675309 TargetAccount.userName=pamaccount
TargetAccount.synchronize=false Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.passwordChangeMethod=DO_NOT_USE_SUDO
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>5952</cr.statusCode>
<cr.statusDescription>PAM-CM-3488: Change process not specified.</cr.statusDescription>
<cr.result></cr.result>
</CommandResult>
Release : 4.0
Component : PRIVILEGED ACCESS MANAGEMENT
All attempts were missing parameter/attribute Attribute.useOtherAccountToChangePassword, which is a required attribute for UNIX target accounts.
The following is an example of a working command:
cmdName=updateTargetAccount TargetAccount.ID=8675309 TargetAccount.userName=pamaccount TargetAccount.synchronize=true Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.passwordChangeMethod=DO_NOT_USE_SUDO Attribute.useOtherAccountToChangePassword=false
To find out what attributes are required for a given type of target account, go to PAM online documentation -> Implementing Credential Manager -> Identify Target Applications and Connectors -> Add a XXX Target Connector -> XXX Target Connector CLI Configuration. E.g. for the UNIX target connector you see target application and target account attributes on page UNIX Target Connector CLI Configuration. In the UNIX Target Account CLI Parameters section you will find that attribute useOtherAccountToChangePassword is required, as are some others. There also are a few attributes that may or may not be required, depending on the value of other attributes. E.g. Attribute.otherAccount would be required, if Attribute.useOtherAccountToChangePassword were set to true.