Feature Request - Allow Proxy User for Authenticated Password Changes in Active Directory

[Cleiton Mafioletti]

Hello,

Environment:

• PWM 2.0.8 (b7ed22b)
• Microsoft Active Directory
• LDAP Proxy User configured
• "Use Proxy When Password Forgotten" enabled

Problem:

PWM currently supports the setting:

LDAP → LDAP Settings → Microsoft Active Directory → Use Proxy When Password Forgotten

This allows password reset operations to be performed through the configured LDAP Proxy User account.

However, there does not appear to be an equivalent option for the Authenticated Change Password module.

In environments where users are intentionally denied the Active Directory "Change Password" permission, but a service account is allowed to perform password resets, the current behavior creates an inconsistency:

• Forgotten Password works successfully through the proxy account.
• Authenticated Change Password fails because the operation is performed as the user.

Use Case:

Many organizations use a delegated service account to perform password changes and resets. This is common when:

• Users are denied direct password change permissions.
• Password changes must be centrally controlled.
• Active Directory ACLs restrict Change Password operations.

Requested Enhancement:

Add a configurable option similar to:

Modules → Authenticated → Change Password

Use Proxy Connection For Password Change = True/False

or

LDAP → LDAP Settings → Microsoft Active Directory

Use Proxy When Password Changed = True/False

When enabled, the authenticated password change workflow would perform the password update through the configured LDAP Proxy User rather than the authenticated user's LDAP session.

Benefits:

• Consistent behavior between Forgotten Password and Change Password.
• Eliminates the need for custom source code patches.
• Simplifies upgrades to newer PWM versions.
• Better support for delegated Active Directory administration models.

Thank you for considering this enhancement.