Hello, The tomcat log level should be Info. To understand logs when you try to update an Active Directory target account, you should be aware of PAM's update logic, explained e.g. in
KB 129646. To check when PAM tried to update a target account password, you can view the Account Passwords Update Attempts report from the Credentials > Reports > Run page.