Index: auth.php
===================================================================
RCS file: /cvsroot/moodle/moodle/auth/ldap/auth.php,v
retrieving revision 1.99.2.2
diff -u -r1.99.2.2 auth.php
--- auth.php	26 Jul 2011 09:29:33 -0000	1.99.2.2
+++ auth.php	9 Aug 2011 14:22:01 -0000
@@ -33,6 +33,11 @@
     define ('UF_DONT_EXPIRE_PASSWD', 0x00010000);
 }
 
+// LDAP_OPT_DIAGNOSTIC_MESSAGE gets the extended error output from the ldap_get_option function
+if (!defined('LDAP_OPT_DIAGNOSTIC_MESSAGE')) {
+    define('LDAP_OPT_DIAGNOSTIC_MESSAGE', 0x0032);
+}
+
 // The Posix uid and gid of the 'nobody' account and 'nogroup' group.
 if (!defined('AUTH_UID_NOBODY')) {
     define('AUTH_UID_NOBODY', -2);
@@ -124,6 +129,7 @@
      * @return bool Authentication success or failure.
      */
     function user_login($username, $password) {
+		global $CFG, $DB, $OUTPUT;
         if (! function_exists('ldap_bind')) {
             print_error('auth_ldapnotinstalled', 'auth_ldap');
             return false;
@@ -181,10 +187,45 @@
 
         // Try to bind with current username and password
         $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $extpassword);
-        $this->ldap_close();
+		$userid = $DB->get_field('user', 'id', array('username'=>$username));
+		
         if ($ldap_login) {
+			if(is_numeric($userid)){
+				set_user_preference('auth_forcepasswordchange', false, $userid);
+			}
+			$this->ldap_close();
             return true;
         }
+		else if (ldap_get_option($ldapconnection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)){
+			
+			//explode the error message so we are only looking at the error codes
+
+			$extended_error = explode(', ', $extended_error);
+
+			if(strpos($extended_error[2],'773') || strpos($extended_error[2],'532')){
+
+				if(is_numeric($userid)){
+					set_user_preference('auth_forcepasswordchange', true, $userid);
+				}
+				
+				$this->ldap_close();
+				unset($extended_error);
+				
+				if(is_numeric($userid)){
+					if($DB->record_exists('user_preferences', array('value'=>1, 'userid'=>$userid, 'name'=>'auth_forcepasswordchange'))){
+						return true;
+					}
+					else{
+						return false;
+					}
+				}else{
+					//debugging("user not created yet, let them in?");
+					return true;
+				}
+			}
+			
+		}
+		$this->ldap_close();
         return false;
     }