Expired LDAP Passwords

If the LDAP resource password aging policy is enabled, and an account's password has aged beyond the expiration limit, the account is considered unusable by LDAP resource password policy, and Waveset rejects a BIND operation with invalid credentials result. In some cases, the LDAP resource adapter can determine if the supplied password is otherwise valid (for example, a BIND operation response additional information contains password expired). If this case is detected, the LDAP resource adapter may attempt to administratively reset the expired password using a generated password, then the self-change operation can proceed using this password as the current password.

The User Password On Change behavior for an expired password depends on whether or not a password policy is set in the Waveset LDAP resource configuration. If one is not set, the self-service change password fails with an explanation that an expired password cannot be self-changed. If a password policy is set, Waveset uses it to generate a temporary password, which is then used for an administrative reset, and subsequent user authentication and password modification. Allowing the automatic password reset in the case of the resource password policy is reasonable because the new password that is supplied by the user would have already passed that policy check, and hence should be accepted by the LDAP server (while if that update fails, the generated temporary password would have replaced the user current password, which would be lost).