openLDAP pwdReset pwdMustChange

Daniel Fisher dfisher at
Thu Sep 1 19:01:52 UTC 2022

On Mon, Aug 29, 2022 at 7:57 PM Lipscomb, Gary <glipscomb at> wrote:

> Hi Dan,
> I finally got it working yesterday by doing the following
>    - In openLDAP  in the password policy set pwdMustChange: TRUE
>    - In openLDAP  in the user account set pwdReset: TRUE
>    - In the IdP in password-authn-config.xml add CHANGE_AFTER_RESET
>       -         <entry key="ExpiringPassword">
>       -             <list>
>       -                 <value>ACCOUNT_WARNING</value>
>       -                 <value>CHANGE_AFTER_RESET</value>
>       -        </list>
> This will then give the user the “Your password will be expiring soon*. **Please
> ensure you update your password via the Staff Portal before it expires”*

Ok, I think this makes sense. CHANGE_AFTER_RESET would only be returned on
a successful authentication, so only the warning flow could execute. Sounds
like you're on the right track to forcing a password change and leveraging
CHANGE_AFTER_RESET doesn't provide much, if any, value.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list