Well, there are ways to achieve that but we do not encourage to do so. Our target is to keep Gluu Server as IDP/OP ( Identity Provider or OpenID Provider ), not IDM.

You could do it with a custom authentication script. We're thinking of writing an example for something like this. For example, it could keep a custom user attribute called passwordData: passwordData: {'passwordExpiration':'3/31/15', 'oldPasswords': ['<hash-old-passwd>'], 'failedAttempts':0} When you see the expiration is passed, you could present a special page 2 to prompt the user to set a new password (and validate complexity, or even non-reuse of old passwords by keeping a hash of old passwords. After collection of the password in step 2, you could write to AD using LDAP. So its totally possible... given some more time we're even going to provide some example interception scripts to do this.

Thank you Mohib and Michael. You can close this ticket now.