diff --git a/modules/lemonldap-ng-portal/example/mail.pl b/modules/lemonldap-ng-portal/example/mail.pl
index b8b20d542..77fe9bc0e 100755
--- a/modules/lemonldap-ng-portal/example/mail.pl
+++ b/modules/lemonldap-ng-portal/example/mail.pl
@@ -33,20 +33,40 @@ $template->param(
     ? ""
     : $portal->{mail}
 );
+$template->param(
+    MAIL_TOKEN => $portal->checkXSSAttack( 'mail_token', $portal->{mail_token} )
+    ? ""
+    : $portal->{mail_token}
+);
 
 # Display form the first time
-if ( $portal->{error} == PE_MAILFORMEMPTY
-    or ( $portal->{error} == PE_BADCREDENTIALS and !$portal->{mail_token} ) )
+if (
+    (
+           $portal->{error} == PE_MAILFORMEMPTY
+        or $portal->{error} == PE_BADCREDENTIALS
+    )
+    and !$portal->{mail_token}
+  )
 {
 
-    $template->param( DISPLAY_FORM        => 1 );
-    $template->param( DISPLAY_RESEND_FORM => 0 );
+    $template->param( DISPLAY_FORM          => 1 );
+    $template->param( DISPLAY_RESEND_FORM   => 0 );
+    $template->param( DISPLAY_PASSWORD_FORM => 0 );
 }
 
 # Display mail confirmation resent form
 if ( $portal->{error} == PE_MAILCONFIRMATION_ALREADY_SENT ) {
-    $template->param( DISPLAY_FORM        => 0 );
-    $template->param( DISPLAY_RESEND_FORM => 1 );
+    $template->param( DISPLAY_FORM          => 0 );
+    $template->param( DISPLAY_RESEND_FORM   => 1 );
+    $template->param( DISPLAY_PASSWORD_FORM => 0 );
+}
+
+if ( $portal->{mail_token}
+    and ( $portal->{error} != PE_MAILERROR and $portal->{error} != PE_MAILOK ) )
+{
+    $template->param( DISPLAY_FORM          => 0 );
+    $template->param( DISPLAY_RESEND_FORM   => 0 );
+    $template->param( DISPLAY_PASSWORD_FORM => 1 );
 }
 
 print $portal->header('text/html; charset=utf8');
diff --git a/modules/lemonldap-ng-portal/example/skins/impact/mail.tpl b/modules/lemonldap-ng-portal/example/skins/impact/mail.tpl
index 7373ed006..ac0bdffc0 100644
--- a/modules/lemonldap-ng-portal/example/skins/impact/mail.tpl
+++ b/modules/lemonldap-ng-portal/example/skins/impact/mail.tpl
@@ -56,6 +56,34 @@
       </form>
       </TMPL_IF>
 
+      <TMPL_IF NAME="DISPLAY_PASSWORD_FORM">
+      <form action="#" method="post" class="password">
+      <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
+      <input type="hidden" id="mail_token" name="mail_token" value="<TMPL_VAR NAME="MAIL_TOKEN">" />
+      <div id="content-all-info">
+        <table>
+        <tr><th><lang en="New password" fr="Nouveau mot de passe" /></th>
+        <td><input name="newpassword" type="password" tabindex="3" /></td></tr>
+        <tr><th><lang en="Confirm password" fr="Confirmez le mot de passe" /></th>
+        <td><input name="confirmpassword" type="password" tabindex="4" /></td></tr>
+        <tr><td colspan="2">
+        <input id="reset" type="checkbox" name="reset" />
+        <lang en="Generate the password automatically" fr="Générer le mot de passe automatiquement" />
+        </td></tr>
+        <tr><td colspan="2">
+        <div class="buttons">
+        <button type="reset" class="negative" tabindex="6">
+                <lang en="Cancel" fr="Annuler" />
+        </button>
+        <button type="submit" class="positive" tabindex="5">
+                <lang en="Submit" fr="Soumettre" />
+        </button>
+        </div>
+        </td></tr></table>
+      </div>
+      </form>
+      </TMPL_IF>
+
       <div class="panel-buttons">
         <button type="button" class="positive" tabindex="1" onclick="location.href='<TMPL_VAR NAME="PORTAL_URL">';return false;">
           <lang en="Go to portal" fr="Aller au portail" />
diff --git a/modules/lemonldap-ng-portal/example/skins/pastel/mail.tpl b/modules/lemonldap-ng-portal/example/skins/pastel/mail.tpl
index c0a4d92b5..d8c5bac5a 100644
--- a/modules/lemonldap-ng-portal/example/skins/pastel/mail.tpl
+++ b/modules/lemonldap-ng-portal/example/skins/pastel/mail.tpl
@@ -55,6 +55,37 @@
         </form>
         </TMPL_IF>
 
+	<TMPL_IF NAME="DISPLAY_PASSWORD_FORM">
+        <div id="password">
+        <form action="#" method="post" class="password">
+        <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
+        <input type="hidden" id="mail_token" name="mail_token" value="<TMPL_VAR NAME="MAIL_TOKEN">" />
+        <h3><lang en="Change your password" fr="Changez votre mot de passe" /></h3>
+        <table>
+        <tr><th><lang en="New password" fr="Nouveau mot de passe" /></th>
+        <td><input name="newpassword" type="password" tabindex="3" /></td></tr>
+        <tr><th><lang en="Confirm password" fr="Confirmez le mot de passe" /></th>
+        <td><input name="confirmpassword" type="password" tabindex="4" /></td></tr>
+        <tr><td colspan="2">
+	<input id="reset" type="checkbox" name="reset" />
+	<lang en="Generate the password automatically" fr="Générer le mot de passe automatiquement" />
+	</td></tr>
+        <tr><td colspan="2">
+        <div class="buttons">
+        <button type="reset" class="negative" tabindex="6">
+                <img src="/skins/common/cancel.png" alt="" />
+                <lang en="Cancel" fr="Annuler" />
+        </button>
+        <button type="submit" class="positive" tabindex="5">
+                <img src="/skins/common/accept.png" alt="" />
+                <lang en="Submit" fr="Soumettre" />
+        </button>
+        </div>
+        </td></tr></table>
+        </form>
+        </div>
+	</TMPL_IF>
+
         <div class="link">
                 <a href="<TMPL_VAR NAME="PORTAL_URL">">
                         <lang en="Go back to portal" fr="Retourner au portail" />
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm
index 7a25a9798..a1422b746 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm
@@ -28,6 +28,7 @@ use Encode;
 #   - extractMailInfo
 #   - storeMailSession
 #   - sendConfirmationMail
+#   - changePassword
 #   - sendPasswordMail
 # - portal core module:
 #   - setMacros
@@ -39,7 +40,6 @@ use Encode;
 #   - setSessionInfo
 # - passwordDB module:
 #   - passwordDBInit
-#   - resetPassword
 # @return 1 if all is OK
 sub process {
     my ($self) = splice @_;
@@ -50,7 +50,7 @@ sub process {
     $self->{error} = $self->_subProcess(
         qw(smtpInit userDBInit passwordDBInit extractMailInfo
           getUser setSessionInfo setMacros setLocalGroups setGroups setPersistentSessionInfo
-          storeMailSession sendConfirmationMail resetPassword sendPasswordMail)
+          storeMailSession sendConfirmationMail changePassword sendPasswordMail)
     );
 
     return (
@@ -87,7 +87,9 @@ sub extractMailInfo {
     return PE_MAILFORMEMPTY
       unless ( $self->param('mail') || $self->param('mail_token') );
 
-    $self->{mail_token} = $self->param('mail_token');
+    $self->{mail_token}      = $self->param('mail_token');
+    $self->{newpassword}     = $self->param('newpassword');
+    $self->{confirmpassword} = $self->param('confirmpassword');
 
     # If a mail token is present, find the corresponding mail
     if ( $self->{mail_token} ) {
@@ -105,8 +107,8 @@ sub extractMailInfo {
                 'debug' );
         }
 
-        # Mail token can be used only one time, delete the session
-        tied(%$h)->delete() if ref $h;
+        # Close session, it will be deleted after password change success
+        untie %$h;
 
         return PE_BADMAILTOKEN unless ( $self->{mail} );
     }
@@ -225,6 +227,53 @@ sub sendConfirmationMail {
     PE_MAILOK;
 }
 
+## @method int changePassword
+# Change the password or generate a new password
+# @return Lemonldap::NG::Portal constant
+sub changePassword {
+    my ($self) = splice @_;
+
+    # Check if user wants to generate the new password
+    if ( $self->param('reset') ) {
+
+        $self->lmLog(
+            "Reset password request for " . $self->{sessionInfo}->{_user},
+            'debug' );
+
+        # Generate a complex password
+        my $password = $self->gen_password( $self->{randomPasswordRegexp} );
+
+        $self->lmLog( "Generated password: " . $password, 'debug' );
+
+        $self->{newpassword}     = $password;
+        $self->{confirmpassword} = $password;
+    }
+
+    # Else a password is required
+    else {
+        return PE_FORMEMPTY
+          unless ( $self->{newpassword} && $self->{confirmpassword} );
+    }
+
+    # Modify the password
+    my $result = $self->modifyPassword( $self->param('reset') );
+
+    # Mail token can be used only one time, delete the session if all is ok
+    if ( $result == PE_PASSWORD_OK ) {
+
+        # Get the corresponding session
+        my $h = $self->getApacheSession( $self->{mail_token} );
+
+        # Delete it
+        tied(%$h)->delete() if ref $h;
+
+        # Force result to PE_OK to continue the process
+        $result = PE_OK;
+    }
+
+    return $result;
+}
+
 ## @method int sendPasswordMail
 # Send mail containing the new password
 # @return Lemonldap::NG::Portal constant
@@ -269,7 +318,7 @@ sub sendPasswordMail {
     }
 
     # Replace variables in body
-    my $password = $self->{reset_password};
+    my $password = $self->{newpassword};
     $body =~ s/\$password/$password/g;
     $body =~ s/\$(\w+)/decode("utf8",$self->{sessionInfo}->{$1})/ge;
 
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/PasswordDBLDAP.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/PasswordDBLDAP.pm
index 6fa68df9f..542d31abc 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/PasswordDBLDAP.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/PasswordDBLDAP.pm
@@ -30,11 +30,12 @@ sub passwordDBInit {
     PE_OK;
 }
 
-## @apmethod int modifyPassword()
+## @apmethod int modifyPassword(boolean reset)
 # Modify the password by LDAP mechanism.
+# @param reset Force pwdReset flag to TRUE
 # @return Lemonldap::NG::Portal constant
 sub modifyPassword {
-    my $self = shift;
+    my ($self,$reset) = splice @_;
 
     # Exit method if no password change requested
     return PE_OK unless ( $self->{newpassword} );
@@ -63,6 +64,23 @@ sub modifyPassword {
     $self->updateSession($infos)
       if ( $self->{storePassword} and $code == PE_PASSWORD_OK );
 
+    return $code unless ( $code == PE_PASSWORD_OK );
+
+    # If Password Policy and reset asked, set the PwdReset flag
+    if ( $self->{ldapPpolicyControl} and $reset) {
+        my $result =
+          $self->ldap->modify( $self->{dn},
+            replace => { 'pwdReset' => 'TRUE' } );
+
+        unless ( $result->code == 0 ) {
+            $self->lmLog( "LDAP modify pwdReset error: " . $result->code,
+                'error' );
+            $code = PE_LDAPERROR;
+        }
+
+        $self->lmLog( "pwdReset set to TRUE", 'debug' );
+    }
+
     return $code;
 }