I am trying to write a function to allow a user to reset their password when they must change their password (code 49 - ERROR_PASSWORD_MUST_CHANGE).

I ask for their username, current password, then enter a new password and confirm the new password.

A side note, I noticed when I tried logging into an application that uses ldap authentication, it does not allow them in. This leads me to believe that ERROR_PASSWORD_MUST_CHANGE somehow interrupts the authentication process.

For them to reset their password, they would need to authenticate with their current password (which verifies them as being the actual owner of that account), but it will fail.

I know I could use an admin account to make the password change, but it never verifies the user being the actual owner of the account since it does not care what their current password is.

I plan on writing this in php, not sure if this matters, but I'm learning more about the "gotchas" of ldap and any help is appreciated.

UPDATE: I found "hack" to get this to work. If ldap returns the code number for pwdLastSet being 0, then you set the pwdLastSet using an admin account to -1, then they will be able to authenticate to ldap, to reset their password.

Update: Answered the question with how do to that in php here https://stackoverflow.com/questions/15084506/adldap-user-must-change-password/16109623#16109623