Previously, if a user password expired, it needed to be reset on the LDAP server. Now there is a new capability added to the LDAP and JDBC extensions to enable changing passwords from the front end in a new change password screen. The login procedure must be amended to account for a use case where the password is expired and the machine now prompts the user with a password dialogue. Assignee should assess whether this needs to be called out explicitly in the documentation or is clear enough in the UI.
Assigning to Byron for review.
Yaniv, Why are we using expiring passwords? The policy of forced password expiry is generally rejected by security experts. I can't think of any good reason for enabling this policy. https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry https://cryptosmith.com/password-sanity/exp-harmful/ https://arstechnica.com/information-technology/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/
Moran, can you comment?