Comment 1 for bug 1270118

Hi, I confirm this issue (also in trunk).

It's apparently due to an "improper" use of flags in pam_chauthtok call (session-child.c:337).

Because lightdm calls pam_chauthtok after a positive check on PAM_NEW_AUTHTOK_REQD (from man page "The user account is valid but their authentication token is expired") it should pass the PAM_CHANGE_EXPIRED_AUTHTOK flag (from man page "This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired").
gdm3 uses the flag correctly (gdm-session-worker.c:1291).

Without the flag "the application requires that all authentication tokens are to be changed" (pam man) so you need to provide the LDAP admin credentials.

To solve simply change the line about chauthok in session-child.c (line 291 for lightdm-1.2.2 of wheezy) from

authentication_result = pam_chauthtok (pam_handle, 0 );

to

authentication_result = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK );

If you want to patch the Debian Wheezy package:
1) download lightdm debian source package: apt-get source lightdm
2) go to the source folder lightdm-1.2.2/src and edit session-child.c as suggested
3) step-back to the lightdm-1.2.2 folder and run dpkg-buildpackage -rfakeroot -uc -b (dpkg-buildpackage may require some packages to proceed, it lists the required packages, install these with apt-get install <package-list>)
4) if dpkg-buildpackage completes without errors you have your lightdm_1.2.2-4_i386.deb (step-back to the initial folder)
5) stop lightdm (invoke-rc.d lightdm stop) and remove it (apt-get remove lightdm)
6) install your lightdm package (dpkg -i lightdm_1.2.2-4_i386.deb) and start it (invoke-rc.d lightdm start)

That should be fixed because as it is no one can use lightdm with ldap when a periodic password change is required.