Environment
Self Service Password Reset 4.4
eDirectory is the LDAP server on the backend of SSPR
Situation
When attempting to change the password for a user that has an expired password the following errors are receive in the Self Service Password Reset log file.
5026 ERROR_BAD_SESSION_PASSWORD
unable to authenticate with password read from directory, check proxy rights, ldap logs; error: 4006 PASSWORD_BADPASSWORD (unable to create connection: unable to bind to ldaps://1.1.1.1:636 as cn=user1,ou=TestOU,o=TestO reason: [LDAP: error code 49 - NDS error: bad password (-222)])) [1.1.1.1]
Resolution
With eDirectory on the backend of SSPR, You must have grace logins remaining to be able to change the password through SSPR when the password is expired.
Increase the Grace Logins in the Password Policy assigned to the user.
See Technical Information Document 7018114 - SSPR Users locked after Grace Logins Expire, for more information.
Cause
Out of Grace Logins for the user account.