Access Manager password expired servlet link not triggered

Customer in the process of upgrading from iChain to Access Manager. Both setups are configured to redirect users to a password management servlet when a user authenticates and their password has expired. In the case of iChain, users are always redirected when the 'password expired' message is returned from the LDAP server for the bind request (errorMessage of -223).

In the case of Access Manager users, there were no redirects to the password management servlet when users, whose passwords had expired, authenticated to the Access Manager Identity (IDP) server.

Make sure that the LDAP user defined for the user replica store has read rights to the grace login attributes ("loginGraceLimit","loginGraceRemaining") and that no remaining grace logins exist from the user that is authenticating.

Access Manager's implementation is different to that of iChain. With Access Manager, we check for LDAP errors and in the case where we get one, we will redirect to the password management servlet. The issue is that, when a password has expired and grace logins remain, the LDAP return code for the bind operation is a success, and no error is reported. Only when there are no grace logins remaining and the password has expired will the LDAP server return an error 49. When we get this non success return code, we will redirect the users to the password management servlet.

If an administrator is using an LDAP proxy user, rather than the admin user, to read attributes in the directory, the proxy user must be setup to read the grace login attribute mentioned above. Failure to do so will result in users never being redirected to the password management servlet.