OK, but how does Authelia manage it?

From: Dave Macias <davama@gmail.com>
Sent: Friday, June 21, 2024 4:28 PM
To: openldap-technical <openldap-technical@openldap.org>; Windl, Ulrich <u.windl@ukr.de>
Subject: [EXT] Re: Q: Reset a locked user's password

We encountered similar issues.
At first we had a simple script for reseting own password. Now have a nice self-service frontend with an open source app called authelia.

[Windl, Ulrich]

On Jun 21, 2024 at 9:12 AM -0400, Windl, Ulrich <u.windl@ukr.de>, wrote:

Hi!

I have a question related to policy and a user with an expired password and all grace logins consumed, like this:

pwdChangedTime[0]

20231127075102Z

pwdGraceUseTime[0]

20240429142254Z

pwdGraceUseTime[1]

20240430112006Z

pwdGraceUseTime[2]

20240527074731Z

pwdGraceUseTime[3]

20240528114912Z

pwdGraceUseTime[4]

20240528130249Z

pwdFailureTime[0]

20240611082600.348275Z

How can the user change his password? The user cannot log in anymoe, obviously. If the user could log in he would have admin privileges.

I had the idea to delete the grace logins via ldapmodify, but the result (for version 2.4) was:

ldap_modify: Constraint violation (19)

additional info: pwdGraceUseTime: no user modification allowed

So what are the options (for the user himself and for an admin)?

Regards,

Ulrich

pwdChangedTime[0]	20231127075102Z
pwdGraceUseTime[0]	20240429142254Z
pwdGraceUseTime[1]	20240430112006Z
pwdGraceUseTime[2]	20240527074731Z
pwdGraceUseTime[3]	20240528114912Z
pwdGraceUseTime[4]	20240528130249Z
pwdFailureTime[0]	20240611082600.348275Z