We have ApacheDS configured to expire passwords after a fixed amount of time. If a user lets their password expire and that user attempts to authenticate with an *invalid* password, ADS will respond with an error code related to their password being expired rather than a response stating their password entry was invalid.
This is not the desired behavior for a couple of reasons. First, it is confusing our users because they assume that if our SSO portal tells them their password has expired, that they did enter the correct existing password. So when they get sent to our password change screen, they will enter the invalid existing password that they used initially, thinking it was correct. The other issue is a matter of security. It is possible for anyone to determine if an account is expired just by entering the correct username. Are there any suggestions on how to configure ADS to first verify the password is valid before responding with an account expired code. --Ezsra
