+

Search Tips   |   Advanced Search

Troubleshooting problems of PAM password plug-in with the IBM Security Identity Manager integration

Use this information to troubleshoot issues when the user password is changed even though it is rejected by Security Identity Manager and PAM password plug-in.


Problem

The PAM password plug-in is integrated with IBM Security Identity Manager for password policy validation. The following problem is encountered when users try to change their password.

  1. If the new password does not meet the requirements in the IBM Security Identity Manager password policy, the following error appears on the command line:
    testuser1@iapp2 ~]$ passwd
Changing password for user testuser1.
Changing password for testuser1.
(current) UNIX password:
New password:
Retype new password:
passwd: Authentication token manipulation error
  2. The proxy.log shows that the password is being rejected by IBM Security Identity Manager because it does not meet the password rules. The password is also rejected by SDI Java proxy for storing the password change in the password store for which it is configured.
    [6/18/13 9:55 AM] {Proxy} DEBUG:
                  CTGDKN026I Received operational code: '2'.
[6/18/13 9:55 AM] {LDAPStore} WARN:
                  CTGIME012E  The password does not meet 
                  the requirements of the password rule. 
                  The following error occurred. 
                  Error: CTGIMH023E A user name cannot be 
                  part of a password. 
[6/18/13 9:55 AM] {Proxy} WARN:
                  CTGDKN028I Rejecting operation.
  3. Yet, the user password still does get changed, which is not acceptable. The user can log in with the changed password.


Solution

Update the /etc/pam.d/system-auth setting as shown here.

Mark the SDI plug-in module and the operating system plug-in module as requisite. This setting ensures that the error that is returned by the previous plug-in module is not ignored. 

password    requisite    pam_cracklib.so try_first_pass retry=3 type=
password    requisite    /opt/IBM/TDI/V7.2/pwd_plugins/pam/libpamtivoli_64.so 
                         use_first_pass 
                         /opt/IBM/TDI/V7.2/pwd_plugins/pam/pwsync_ioc.props
password    requisite     pam_unix.so md5 shadow use_authtok

Also, check the /etc/pam.d/passwd settings. Ensure that the password module is marked as substack. 

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   substack     system-auth


Parent topic:

Troubleshooting problems with the Password Synchronizers