I know, this is probably a LDAP/Active Directory question - but I'll give it a try here.

Currently I have developed a Java WebApplication to offer the ability to change AD-controlled passwords. The WebApplication uses LDAP access to do this. The users need to authenticate and then their password is changed bei a "LdapContext.modifyAttributes()"-method.
Now I experienced that this does not work for users who got an initial password - this means that they get a new password and for the account a flag is set (pwdLastSet=0) to force the user to do a password-change with next logon.

This is, how the program works now.

Bind()
Java Code:
prop.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
prop.put(Context.PROVIDER_URL, "ldaps://my.active.directory.com:636");
prop.put(Context.SECURITY_AUTHENTICATION, "simple");
prop.put(Context.SECURITY_PROTOCOL,"ADSecurityProtocol");
prop.put(Context.SECURITY_PRINCIPAL,this.userid);
prop.put(Context.SECURITY_CREDENTIALS,password);
ldapContext = new InitialLdapContext(prop, null);
Change()
Java Code:
ModificationItem[] mods = new ModificationItem[2];
String oldQuotedPassword = "\"" + oldPassword + "\"";
byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
String newQuotedPassword = "\"" + newPassword1 + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");

mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
new BasicAttribute("unicodePwd", oldUnicodePassword));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE,
new BasicAttribute("unicodePwd", newUnicodePassword));
ldapContext.modifyAttributes(userDN, mods);
When the flag "pwdLastSet=0" is set the bind fails with error:
Invalid logon credentials: '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773
I'm looking for an idea how to enable users to change their password especially when they are required to do so. I could change the flag to "pwdLastSet=-1" but for this I would need administrator authority for the AD. As this is a WebApp, I would like to avoid giving it this authority.

Has anyone got an idea how change the password with user authority via LDAP when flag "pwdLastSet=0" is set?

Any help appreciated.