We setup authelia to use a “password manager” account which handles the password reset for a user. Plus if you have a ppolicy, you can also implement the  policy rules on the frontend side of authelia, so thats a nice feature.
But users who need a reset, select “reset password”, input their username and receive an email with a link. Using that link, they are then able to reset their password, and receive a confirmation email that it was successful.
You can msg me personally if you have any more questions
On Jun 24, 2024 at 2:02 AM -0400, Windl, Ulrich <u.windl@ukr.de>, wrote:

OK, but how does Authelia manage it?

 

From: Dave Macias <davama@gmail.com>
Sent: Friday, June 21, 2024 4:28 PM
To: openldap-technical <openldap-technical@openldap.org>; Windl, Ulrich <u.windl@ukr.de>
Subject: [EXT] Re: Q: Reset a locked user's password

 

We encountered similar issues.
At first we had a simple script for reseting own password. Now have a nice self-service frontend with an open source app called authelia.

[Windl, Ulrich]

 

On Jun 21, 2024 at 9:12 AM -0400, Windl, Ulrich <u.windl@ukr.de>, wrote:

Hi!

 

I have a question related to policy and a user with an expired password and all grace logins consumed, like this:

 

pwdChangedTime[0]

20231127075102Z

pwdGraceUseTime[0]

20240429142254Z

pwdGraceUseTime[1]

20240430112006Z

pwdGraceUseTime[2]

20240527074731Z

pwdGraceUseTime[3]

20240528114912Z

pwdGraceUseTime[4]

20240528130249Z

pwdFailureTime[0]

20240611082600.348275Z

 

How can the user change his password? The user cannot log in anymoe, obviously. If the user could log in he would have admin privileges.

I had the idea to delete the grace logins via ldapmodify, but the result (for version 2.4) was:

 

ldap_modify: Constraint violation (19)

        additional info: pwdGraceUseTime: no user modification allowed

 

So what are the options (for the user himself and for an admin)?

 

Regards,

Ulrich