Option to allow a user to reset an expired password
in our current LDAP/AD implementation, we do not allow a user with an expired password to change it, see the diagrams done by David here: http://lemonldap-ng.org/documentation/latest/authldap
This seems legit, as the user can use the "reset my password" form. But this method won't work if the password to get the "reset mail" is the same, which is a common case. In this situation, the user is forced to call support to get a new password.
In real life, we may want to let the user directly change its expired password, the same way it is done when the flag "reset after first authentication" is set. This is what is done for example by ADFS : in both cases, the user can change its password.
I am willing to add an option in LL::NG to allow this behavior, the default value being the current behavior. To do this, we must be sure that the old password is valid, even if the authentication is not successful (as the password is expired)