This was reported downstream on SES 5.5:
During the execution of auth.authenticate() there's a call to pam_conversation() which is supposed to simply return the password. But there's an additional parameter userData that prevents the successful return of that password, so the authentication fails.
The authentication succeeded after we simply removed the parameter (we haven't noticed negative impacts yet). This is our small change: