Description

This article describes how to resolve an issue where the LDAP password change fails intermittently in reconcile mode.

Scope

FortiPAM.

Solution

• FortiPAM is configured to rotate passwords automatically via policy.
• During the rotation process, password changes fail for approximately 20–30% of the accounts with the error 'Password reconciliation failed'.

• Verify if the password change is enabled on the Active director for the test user:

• Verify if the password change for the 20-30% of the accounts are successful on the Active directory. 
• Run the debug commands below to verify whether the password change fails.

diagnose wad debug enable category secret

diagnose wad debug enable category pwdchg

diagnose wad debug enable level verbose

diagnose debug enable

Reciprocate the issue:

diagnose debug disable

• Example:

[V][p:2743] wad_pwd_chg_proc_request :2761 pwd daemon recv GUI req type=8, sec_id=20, history_id=-1, repl=0,          user=admin, cust_pwd=
[V][p:2743] wad_pwd_try_start_req_task :273 total request in que=1, running request=0, task pending=0
[V][p:2743] wad_pwd_req_task_run :2415 start one task(sec_id=20), type=3, state=
[V][p:2743] wad_pwd_chg_ldap_fill_info :2087 rcvy=0, pwd_vrf=0, pwd_chg=0, history_id=-1
[V][p:2743] wad_pwd_proc_ldap_result :1822 is_pwd_chg=1,state=4,status=3,invalid_cred=0,err=0000052D: SvcErr:        DSID-031A126A, problem 5003 (WILL_NOT_PERFORM), data 0
[V][p:2743] wad_pwd_try_start_req_task :273 total request in que=0, running request=0, task pending=0[I][p:2761] wad_gui_api_pwd_chg_notify :5219 recv pwd change resp result=1, code=4, err=0000052D: SvcErr: DSID-      031A126A, problem 5003 (WILL_NOT_PERFORM), data 0
[I][p:2761] wad_http_pwd_chg_continue :6086 Password reconciliation failed.

This is a known issue (1221265), and it is fixed in 1.7.2 and 1.8.0. An upgrade is recommended to resolve this issue.