diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthAD.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthAD.pm
index ea126776d..41a2ef0ee 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthAD.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthAD.pm
@@ -119,7 +119,11 @@ sub authenticate {
 
     # Remember password if password reset needed
     $self->{oldpassword} = $self->{password}
-      if ( $res == PE_PP_CHANGE_AFTER_RESET );
+      if (
+        $res == PE_PP_CHANGE_AFTER_RESET
+        or (    $res == PE_PP_PASSWORD_EXPIRED
+            and $self->{ldapAllowResetExpiredPassword} )
+      );
 
     return $res;
 }
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthLDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthLDAP.pm
index e3a88e250..cb2efbcdf 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthLDAP.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthLDAP.pm
@@ -49,7 +49,11 @@ sub authenticate {
 
     # Remember password if password reset needed
     $self->{oldpassword} = $self->{password}
-      if ( $res == PE_PP_CHANGE_AFTER_RESET );
+      if (
+        $res == PE_PP_CHANGE_AFTER_RESET
+        or (    $res == PE_PP_PASSWORD_EXPIRED
+            and $self->{ldapAllowResetExpiredPassword} )
+      );
 
     # Unbind if there was an error
     unless ( $res == PE_OK ) {
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Display.pm
index d9b9f5d60..8afce545c 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Display.pm
@@ -230,6 +230,8 @@ sub display {
             or $self->{error} == PE_PASSWORD_MISMATCH
             or $self->{error} == PE_BADOLDPASSWORD
             or $self->{error} == PE_PASSWORDFORMEMPTY
+            or (    $self->{error} == PE_PP_PASSWORD_EXPIRED
+                and $self->{ldapAllowResetExpiredPassword} )
           )
         {
             %templateParams = (
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
index bdac89b09..a61801b0f 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
@@ -398,10 +398,40 @@ sub userModifyPassword {
 
             # Bind as user if oldpassword and ldapChangePasswordAsUser
             if ( $oldpassword and $asUser ) {
-                $mesg = $self->bind( $dn, password => $oldpassword );
-                if ( $mesg->code != 0 ) {
-                    $self->{portal}->lmLog( "Bad old password", 'debug' );
-                    return PE_BADOLDPASSWORD;
+
+                $mesg = $self->bind(
+                    $dn,
+                    password => $oldpassword,
+                    control  => [$pp]
+                );
+                my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
+
+                unless ( defined $bind_resp ) {
+                    if ( $mesg->code != 0 ) {
+                        $self->{portal}->lmLog( "Bad old password", 'debug' );
+                        return PE_BADOLDPASSWORD;
+                    }
+                }
+                else {
+
+                    # Check if password is expired
+                    my $pp_error = $bind_resp->pp_error;
+                    if (    defined $pp_error
+                        and $pp_error == 0
+                        and $self->{portal}->{ldapAllowResetExpiredPassword} )
+                    {
+                        $self->{portal}->lmLog(
+"Password is expired but user is allowed to change it",
+                            'debug'
+                        );
+                    }
+                    else {
+                        if ( $mesg->code != 0 ) {
+                            $self->{portal}
+                              ->lmLog( "Bad old password", 'debug' );
+                            return PE_BADOLDPASSWORD;
+                        }
+                    }
                 }
             }
 
@@ -433,10 +463,39 @@ sub userModifyPassword {
             if ($oldpassword) {
 
                 # Check old password with a bind
-                $mesg = $self->bind( $dn, password => $oldpassword );
-                if ( $mesg->code != 0 ) {
-                    $self->{portal}->lmLog( "Bad old password", 'debug' );
-                    return PE_BADOLDPASSWORD;
+                $mesg = $self->bind(
+                    $dn,
+                    password => $oldpassword,
+                    control  => [$pp]
+                );
+                my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
+
+                unless ( defined $bind_resp ) {
+                    if ( $mesg->code != 0 ) {
+                        $self->{portal}->lmLog( "Bad old password", 'debug' );
+                        return PE_BADOLDPASSWORD;
+                    }
+                }
+                else {
+
+                    # Check if password is expired
+                    my $pp_error = $bind_resp->pp_error;
+                    if (    defined $pp_error
+                        and $pp_error == 0
+                        and $self->{portal}->{ldapAllowResetExpiredPassword} )
+                    {
+                        $self->{portal}->lmLog(
+"Password is expired but user is allowed to change it",
+                            'debug'
+                        );
+                    }
+                    else {
+                        if ( $mesg->code != 0 ) {
+                            $self->{portal}
+                              ->lmLog( "Bad old password", 'debug' );
+                            return PE_BADOLDPASSWORD;
+                        }
+                    }
                 }
 
           # Rebind as Manager only if user is not granted to change its password