We have a UNIX target application configured and two accounts, say user1 and user2, where user1 is configured to change the password of the other account user2.
User1 can change its own password and this works, but attempt to update the password of user2 fail.
Debugging the problem shows that PAM logs on to the target device as user1 and issues command "sudo passwd user2" to change the password. This command asks for the password of user1 first but obviously in our case PAM is providing the wrong password and the command fails to complete.
The target account for user1 was configured with "This account can change its own password" and "Do not use elevated privileges" options. This works for updating it's own password.
However in this case it is not correct - this account is configured to update another account's password and sudo is configured to ask for the password of the account that issues the command.
Set the "Use elevated privileges with authentication" flag in the account details for user1, the account that runs the sudo command to change another account's password.
If the sudo command on the device is configured to ask for the password of the account that runs the command first, which is the default and recommended configuration for sudo, then CA PAM needs to be configured accordingly.
When the "Use elevated privileges with authentication" flag is set for the account that logs on, PAM will know that after issuing the "sudo passwd <other account>" command it first has to provide the logged-on user's password, before sending the new password for the account to be changed.