when pwdReset=TRUE (after admin password reset), LDAP bind actually succeeds so CAS thinks user is logged in, but other LDAP operations are not allowed until user changes password.
I would expect CAS to catch this under the LdapErrorDefinition for p:type="mustChangePassword"; however, if no error is generated, there is no way to catch it.
Other LPPE features work when configured with the correct code/error strings for my LDAP implementation. I got the right errors generated for the accountDisabled, accountLocked and passwordExpired paths.
LDAP = Sun Java Directory Server