S. Fieux

Thank you @coudot for your remarks. The way the PR works is: * Try to bind as the user first (previous behaviour): this 1/ ensures that the password is fully...

To answer @plewin: You're mostly right, I'll change the code, do a bit of testing on my side and update the PR later. 1. True, but with $ldap_bytes instead of...

> I don't see the point here, what the link with the expired password? When an admin sets the `pwdReset` operational attribute for a user, it means that this user...

Sucks for me then... One option would be to edit `change.php` to read the userPassword field as Manager, hash the old password using the same method/salt, and check that tboth...

Indeed, a correct implementation for this - one not bypassing bruteforce protection - would have to: - always try to bind first: it adds a failure if the old password...