Expired password form does not show up on LDAP expired password
Concerned version
Version: %2.0.11
Platform: CentOS 8 / Apache 2.4.37 LDAP Directory : FreeIPA v4.8.7
Summary
When an user logs in with expired LDAP password, the portal does not show password renewal form. The LDAP attribute use by FreeIPA for considering an account as expired is "krbPasswordExpiration".
Logs
See attached log auth_with_expired_pass.log
Possible fixes
Evaluate expired status from krbPasswordExpiration attribute
I read about issue #2377 (closed), I can't say if it's linked or not.
The "_whatToTrace" macro has the value
$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)