openLDAP pwdReset pwdMustChange

Daniel Fisher dfisher at
Wed Aug 24 01:51:32 UTC 2022

On Tue, Aug 23, 2022 at 1:31 AM Lipscomb, Gary via users <
users at> wrote:

> Has anyone done this?

It appears you're attempting to use
for your password policy implementation.

>    - idp.authn.LDAP.usePasswordPolicy = true
This is the property you want set to true to enable this feature.

>    - idp.authn.LDAP.usePasswordExpiration = true
This property enables a different type of password policy implementation (
Set it to false.

Assuming you've configured the ppolicy overlay correctly in OpenLDAP....
Your IDP should signal a warning type of AuthnEventIds.ACCOUNT_WARNING
when a password warning is returned from an LDAP authentication. And an
error type of AuthnEventIds.ACCOUNT_ERROR when a password error is returned.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list