PAM-CMN-0715 & PAM-CMN-0275 When Changing a User's Password on Login
Article ID: 378093
Updated On:
Products
Issue/Introduction
When logging into PAM with LDAP authentication, a user will be prompted to change their password when it has expired. However, they get an error after entering the new password and are logged out.
In the session logs, the following message is seen which contains an unknown error.
| 9/18/2024 14:19 | CN=DemoUser,OU=...,DC=com | admin | Error when attempting to update user info on a secondary site - error was PAM-CM-0715: PAM returned an error response. request=ManageUserService::updateUserSelfFromSecondarySite, status=0, messages=PAM-CMN-0275: Password change failed. Unknown error.;, responseData=null |
Environment
Privileged Access Manager users with LDAP authentication
Cause
When a user logs into a secondary appliance through LDAP authentication and is prompted to change their password, the password change call will go to the primary leader to communicate with the LDAP server. PAM will use the bind user from the LDAP configuration page to make the password change, so if that bind user does not have enough permissions in LDAP, the password change will fail.
To confirm this behavior, look for an "LDAP password rollover failed" message in the session logs on the primary leader at the same time as the PAM-CM-0715/PAM-CMN-0275 message in the session logs on the secondary appliance.
| 9/18/2024 14:19 | __xcd_local__ | admin | LDAP password rollover failed. Error was Error 50: Insufficient access. |
Resolution
Increase the LDAP bind user's permissions in order to allow LDAP password changes through PAM to be successful.
Feedback
