openLDAP pwdReset pwdMustChange

Lipscomb, Gary glipscomb at
Mon Aug 29 23:57:10 UTC 2022

Hi Dan,

I finally got it working yesterday by doing the following

  *   In openLDAP  in the password policy set pwdMustChange: TRUE
  *   In openLDAP  in the user account set pwdReset: TRUE
  *   In the IdP in password-authn-config.xml add CHANGE_AFTER_RESET
     *           <entry key="ExpiringPassword">
     *               <list>
     *                   <value>ACCOUNT_WARNING</value>
     *                   <value>CHANGE_AFTER_RESET</value>
     *          </list>
This will then give the user the “Your password will be expiring soon. Please ensure you update your password via the Staff Portal before it expires”
I was trying to add the pwdMustChange: TRUE to the user record. This had no effect.

If I add CHANGE_AFTER_RESET to  the “ExpiredPassword” entry

  *           <entry key="ExpiredPassword">
  *               <list>
  *                   <value>PASSWORD_EXPIRED</value>
  *                   <value>CLIENT KEY EXPIRED</value>
  *                   <value>AcceptSecurityContext error, data 532</value>
  *                   <value>AcceptSecurityContext error, data 773</value>
  *                   <value>AcceptSecurityContext error, data 701</value>
  *                  <value>CHANGE_AFTER_RESET</value>
  *               </list>
  *           </entry>

the login process won’t proceed past the login page but NO “Expired Password” message is displayed. I didn’t investigate any further with this.

Since the expiring password method can’t force a user to change their password we are looking at an alternative when the password has been administratively reset for the user and we tell them they must change it within 24 hours.

What appears to be working is that in openLDAP we change the users Password Policy to one that has an expiry time of 1 day by

  *   Setting pwdPolicySubentry:  cn=PasswordPolicyReset,ou=Policies,
This gives the expiring password message and then the expired password message if they don’t change it within 24 hours without having to make any changes to Shibboleth.

Thanks for pointing me in the right direction.
We haven’t made a final decision on which option to follow.



Gary Lipscomb
Technical Officer, Systems
IT Infrastructure & Security | Division of Information Technology

From: Daniel Fisher <dfisher at>
Sent: Tuesday, 30 August 2022 09:27
To: Lipscomb, Gary <glipscomb at>
Subject: Re: openLDAP pwdReset pwdMustChange

On Wed, Aug 24, 2022 at 2:27 PM Daniel Fisher <dfisher at<mailto:dfisher at>> wrote:
On Wed, Aug 24, 2022 at 12:34 AM Lipscomb, Gary via users <users at<mailto:users at>> wrote:
Thanks Dan,

We already have that set and password expiration works. We get a warning displayed from 10 days prior to password expiration.
It’s just adding the additional pwdReset and pwdMustChange don’t do anything using SSO but work with ldapsearch CLI.

Try adding CHANGE_AFTER_RESET to the ExpiredPassword entry of shibboleth.authn.Password.ClassifiedMessageMap.
(Assuming you want to treat this condition as an expired password.)
I *think* that will fire an expired password warning event, but it's not something I've tried before.

--Daniel Fisher

Please let me know if this works for you. If so, I'll make sure this gets committed to the project for the next release. Thanks.

--Daniel Fisher

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list