AD expired password


Maybe someone can help me, I’m using PI to give an 2FA solution for my GlobalProtect VPN user. So My Firewall is connected on PrivacyIdea with radius protocol and PrivacyIdea on my Active Directories server with LDAP.
On my AD there is an expiration date for user’s password. So when a user try to connect on VPN with an expired password, of course, is not allow.

Do you know if they are a chance to have a prompt to ask the user to put the old password and put the new one during the authentication process?

I guess, I have some configuration to do an PI but also on my FW. But if you have an idea to give me a way where to look for, will be great.

Thanks a lot

Hello Xque,

privacyIDEA itself is not able to reset AD passwords.

What kind of LDAP query do you do to filter out users with expired passwords?

The issue I am facing is that user can still login with MFA even if the password is expired.

The filter I am using in the ldapresolver is: (sAMAccountName=*)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)).


Like I used to think, there is no solution for my issue.
My workaround to avort this problem, I just extend the password expiration and add prompt for user domain to ask to change password many days before expiration.
To resume, I did on my LDAP:
Password expiration = 90 days
Prompt to ask to change password = 14 day before expiration date

thank you and best regards

1 Like