Let me explain my issue.
I have a PHP application using an LDAP connection to an Active Directory server to authenticate. If i make it so that a user needs to change their password at the next login it won't allow me to authenticate them before i allow the password change. I can detect that the password change is required but if i allowed the user to change it then i have no way to work out that the user is valid or not, which means that the system could be hacked by just knowing the username of a user that's password as expired.
This to me seems daft... is there something im missing..
Currently I am
binding to the server
checking if the password as expired or not
checking the authentication users details
This is what I get returned if the users account is set to change password on next login, auth as failed but there is a password change request.
Is there a specific order the requests need to be sent so i can auth the user before the password change it sent?
Thanks in advance