User can't reset expired password if gracelimit = 0

[grungle25]

Hello

I have set gracelimit=0 to stop users with expired password still being able to authenticate via LDAPS. The issue we now have is that once a users password has expired they can't change it. It takes them to the 'change your password' screen but whatever they enter fails with 'incorrect username or password'. If I set gracelimit=-1 they can then change their password fine.

I've tested with changing the gracelimit=3. This does allow the user to change their password but it also allows them to authenticate to an external application 3 times.

Is there any way to allow the user to change their password but not allow authentication to the external application?

Thanks

[t-woerner]

gracelimit=0 prevents any LDAP binds for expired passwords, therefore it is not possible to change the password for the user.

As far as I know there is no way to have something like gracelimit for password changes only.

[abbra]

Correct, this is by design: https://freeipa.readthedocs.io/en/latest/designs/ldap_grace_period.html

Setting to -1 disables the grace limit check.

Setting to 0 will do a grace limit check but will always fail because no further logins are allowed. The distinction between 0 and -1 is that with 0 a password policy control is returned.