Description

LDAP user can be set up to require forced password change after password reset. It would be nice if Keycloak would support prompting user for new password in this case.

Details

For example OpenLDAP server implements password policy control, defined by https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11. In section 9.1 under Bind Operation following is documented:

   *  bindResponse.resultCode = success (0),
      passwordPolicyResponse.error = changeAfterReset (2): The user is
      binding for the first time after the password administrator set
      the password.  In this scenario, the client SHOULD prompt the user
      to change his password immediately.

If Keycloak would support passwordPolicyRequest LDAP control, it could use this response as a trigger for the forced password change.

Motivation

The password policy LDAP control is commonly supported by many LDAP servers and clients. Following is not a full list, but just picked some examples

Servers that support the password policy LDAP control

• OpenLDAP
• 389ds

LDAP clients that support the LDAP control by prompting user to give new password

• sssd
• pam_ldap
• nss-pam-ldapd