I have configured a solution where, when VPN users login they are authenticated using secure-ldap by a Windows AD server. I carried out several tests with the following results:
On the AD server - Prompt user to change password at next logon - PASS
On the AD server - Force users to change password when expiry trigger hit - PASS
On the AD server - Disable windows account to make sure this is reported when logging in via VPN client - PASS
On the AD server - Expire an account to make sure this is reported when logging in via VPN client - PASS
On the AD server - Enforced password minimum length and make sure password change occurs when condition is met and does not when condition is not - PASS
On the AD server - Enforced pass\word complexity and make sure password change occurs when condition is met and does not when condition is not - PASS
Triggered account lockout on the AD server to make sure this is reported when users login via VPN - PASS
The only thing I tested so far that does not appear to function is when "password history" is enabled on the AD server. A user is still able to change their password to one previously used.
Does anyone know if this should or should not work, and if it does what I may need to confgiure and where.