Feature Request - Allow Proxy User for Authenticated Password Changes in Active Directory

32 views
Skip to first unread message

Cleiton Mafioletti

unread,
Jun 18, 2026, 9:53:08 AMJun 18
to pwm-general

Hello,

Environment:

  • PWM 2.0.8 (b7ed22b)
  • Microsoft Active Directory
  • LDAP Proxy User configured
  • "Use Proxy When Password Forgotten" enabled

Problem:

PWM currently supports the setting:

LDAP → LDAP Settings → Microsoft Active Directory → Use Proxy When Password Forgotten

This allows password reset operations to be performed through the configured LDAP Proxy User account.

However, there does not appear to be an equivalent option for the Authenticated Change Password module.

In environments where users are intentionally denied the Active Directory "Change Password" permission, but a service account is allowed to perform password resets, the current behavior creates an inconsistency:

  • Forgotten Password works successfully through the proxy account.
  • Authenticated Change Password fails because the operation is performed as the user.

Use Case:

Many organizations use a delegated service account to perform password changes and resets. This is common when:

  • Users are denied direct password change permissions.
  • Password changes must be centrally controlled.
  • Active Directory ACLs restrict Change Password operations.

Requested Enhancement:

Add a configurable option similar to:

Modules → Authenticated → Change Password

Use Proxy Connection For Password Change = True/False

or

LDAP → LDAP Settings → Microsoft Active Directory

Use Proxy When Password Changed = True/False

When enabled, the authenticated password change workflow would perform the password update through the configured LDAP Proxy User rather than the authenticated user's LDAP session.

Benefits:

  • Consistent behavior between Forgotten Password and Change Password.
  • Eliminates the need for custom source code patches.
  • Simplifies upgrades to newer PWM versions.
  • Better support for delegated Active Directory administration models.

Thank you for considering this enhancement.

Jason Rivard

unread,
Jun 19, 2026, 2:52:45 PMJun 19
to pwm-general
I can't imagine how this is a good idea from a security perspective.  It's opposite to the LDAP security model though I get this is the sort of model AD seems to encourage, so nonetheless I'll take it into consideration when I next do some work on PWM.

Jason Rivard

unread,
Jun 19, 2026, 2:53:28 PMJun 19
to pwm-general
Also please post this request as a github issue so it doesn't get lost...Thanks!

Cleiton Mafioletti

unread,
Jun 19, 2026, 3:01:41 PMJun 19
to pwm-general
I understand, I'm speaking out of personal necessity. I don't know if it would be a necessity for most people, but there's the idea, lol.
Could you tell me the path I should take to add the patch in this latest version?

Patch:

patch.jpg

It used to be:

server/src/main/java/password/pwm/util/operations/PasswordUtility.java

Now it would be ?

server/src/main/java/password/pwm/util/password/PasswordUtility.java

Cleiton Mafioletti

unread,
Jun 19, 2026, 3:02:56 PMJun 19
to pwm-general
Yes, you can leave it to me.
Reply all
Reply to author
Forward
0 new messages