diff --git a/admin/inc/class.boaccounts.inc.php b/admin/inc/class.boaccounts.inc.php
index 8c574be762..4aed8baa14 100755
--- a/admin/inc/class.boaccounts.inc.php
+++ b/admin/inc/class.boaccounts.inc.php
@@ -442,6 +442,7 @@
 		function save_user($_userData)
 		{
 			//error_log(__METHOD__.array2string($_userData));
+			//error_log(__METHOD__.array2string($old_passwd));
 			$account =& CreateObject('phpgwapi.accounts',$_userData['account_id'],'u');
 			$account->update_data($_userData);
 			$account->save_repository();
@@ -465,6 +466,8 @@
 					// so we need to reset that to 0 as Admin required the change of password upon next login
 					unset($_userData['account_passwd']);
 					$this->save_user($_userData);
+					// maybe we should call that with NULL for 2nd Parameter as we are doing an admin action.
+					if (method_exists($auth,'setLastPwdChange')) $auth->setLastPwdChange($_userData['account_id'], $_userData['account_passwd'], $_userData['account_lastpwd_change']);
 				}
 			}
 
diff --git a/phpgwapi/inc/class.auth.inc.php b/phpgwapi/inc/class.auth.inc.php
index 3e75541d9f..ac6e684567 100644
--- a/phpgwapi/inc/class.auth.inc.php
+++ b/phpgwapi/inc/class.auth.inc.php
@@ -93,11 +93,19 @@ class auth
 		) return true;
 		if ($GLOBALS['egw_info']['user']['account_lastpasswd_change'] && !$GLOBALS['egw_info']['user'][$alpwchange])
 		{
-			// use old style names, as the cuurent one seems not to be set.
+			// use old style names, as the current one seems not to be set.
 			$alpwchange = 'account_lastpasswd_change';
 		}
 		// initalize statics - better readability of conditions
-		if (is_null($alpwchange_val)) $alpwchange_val = $GLOBALS['egw_info']['user'][$alpwchange];
+		if (is_null($alpwchange_val))
+		{
+			$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
+			$backend = new $backend_class;
+			// this may change behavior, as it should detect forced PasswordChanges from your Authentication System too.
+			// on the other side, if your auth system does not require an forcedPasswordChange, you will not be asked.
+			if (method_exists($backend,'getLastPwdChange')) $alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw_info']['user']['account_lid']);
+			if (is_null($alpwchange_val) || $alpwchange_val === false) $alpwchange_val = $GLOBALS['egw_info']['user'][$alpwchange];
+		}
 		if (is_null($passwordAgeBorder) && $GLOBALS['egw_info']['server']['change_pwd_every_x_days']) 
 		{
 			$passwordAgeBorder = (egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400));
diff --git a/phpgwapi/inc/class.auth_ldap.inc.php b/phpgwapi/inc/class.auth_ldap.inc.php
index 4fd27f3422..9e1488df79 100644
--- a/phpgwapi/inc/class.auth_ldap.inc.php
+++ b/phpgwapi/inc/class.auth_ldap.inc.php
@@ -117,6 +117,107 @@ class auth_ldap implements auth_backend
 		return False;
 	}
 
+	/**
+	 * fetch the last pwd change for the user
+	 *
+	 * @param string $username username of account to authenticate
+	 * @return mixed false or shadowlastchange*24*3600 
+	 */
+	function getLastPwdChange($username)
+	{
+		// allow non-ascii in username & password
+		$username = translation::convert($username,translation::charset(),'utf-8');
+
+		if(!$ldap = common::ldapConnect())
+		{
+			$GLOBALS['egw']->log->message('F-Abort, Failed connecting to LDAP server for authenication, execution stopped');
+			$GLOBALS['egw']->log->commit();
+			return False;
+		}
+
+		/* Login with the LDAP Admin. User to find the User DN.  */
+		if(!@ldap_bind($ldap, $GLOBALS['egw_info']['server']['ldap_root_dn'], $GLOBALS['egw_info']['server']['ldap_root_pw']))
+		{
+			if ($this->debug) error_log(__METHOD__."('$username') can NOT bind with ldap_root_dn to search!");
+			return false;
+		}
+		/* find the dn for this uid, the uid is not always in the dn */
+		$attributes	= array('uid','dn','shadowexpire','shadowlastchange');
+
+		$filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)';
+		$filter = str_replace(array('%user','%domain'),array(ldap::quote($username),$GLOBALS['egw_info']['user']['domain']),$filter);
+
+		if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap')
+		{
+			$filter = "(&$filter(objectclass=posixaccount))";
+		}
+		$sri = ldap_search($ldap, $GLOBALS['egw_info']['server']['ldap_context'], $filter, $attributes);
+		$allValues = ldap_get_entries($ldap, $sri);
+
+		if ($allValues['count'] > 0)
+		{
+			if ($GLOBALS['egw_info']['server']['case_sensitive_username'] == true &&
+				$allValues[0]['uid'][0] != $username)
+			{
+				if ($this->debug) error_log(__METHOD__."('$username') wrong case in username!");
+				return false;
+			}
+			if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap' &&
+				isset($allValues[0]['shadowexpire']) && $allValues[0]['shadowexpire'][0]*24*3600 < time())
+			{
+				if ($this->debug) error_log(__METHOD__."('$username',\$password) account is expired!");
+				return false;	// account is expired
+			}
+			return $allValues[0]['shadowlastchange'][0]*24*3600;
+		}
+		if ($this->debug) error_log(__METHOD__."('$username') dn not found or password wrong!");
+		// dn not found or password wrong
+		return false;
+	}
+
+	/**
+	 * changes account_lastpwd_change in ldap datababse
+	 *
+	 * @param int $account_id account id of user whose passwd should be changed
+	 * @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
+	 * @param int $lastpwdchange must be a unixtimestamp
+	 * @return boolean true if account_lastpwd_change successful changed, false otherwise
+	 */
+	function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
+	{
+		if (!$account_id)
+		{
+			$username = $GLOBALS['egw_info']['user']['account_lid'];
+		}
+		else
+		{
+			$username = translation::convert($GLOBALS['egw']->accounts->id2name($account_id),
+				translation::charset(),'utf-8');
+		}
+		//echo "<p>auth_ldap::change_password('$old_passwd','$new_passwd',$account_id) username='$username'</p>\n";
+
+		$filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)';
+		$filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),$filter);
+
+		$ds = common::ldapConnect();
+		$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
+		$allValues = ldap_get_entries($ds, $sri);
+
+		$entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
+
+		$dn = $allValues[0]['dn'];
+
+		if($passwd)	// if old password given (not called by admin) --> bind as that user to change the pw
+		{
+			$ds = common::ldapConnect('',$dn,$passwd);
+		}
+		if (!@ldap_modify($ds, $dn, $entry))
+		{
+			return false;
+		}
+		return true;
+	}
+
 	/**
 	 * changes password in LDAP
 	 *
diff --git a/phpgwapi/inc/class.auth_sql.inc.php b/phpgwapi/inc/class.auth_sql.inc.php
index 8d57e4b8f2..204079da68 100644
--- a/phpgwapi/inc/class.auth_sql.inc.php
+++ b/phpgwapi/inc/class.auth_sql.inc.php
@@ -109,6 +109,84 @@ class auth_sql implements auth_backend
 		return true;
 	}
 
+	/**
+	 * fetch the last pwd change for the user
+	 *
+	 * @param string $username username of account to authenticate
+	 * @return mixed false or account_lastpwd_change
+	 */
+	function getLastPwdChange($username)
+	{
+		/* normal web form login */
+		$where = array(
+			'account_lid'    => $username,
+			'account_type'   => 'u',
+			'account_status' => 'A'
+		);
+		if (!$GLOBALS['egw_info']['server']['case_sensitive_username'])	// = is case sensitiv eg. on postgres, but not on mysql!
+		{
+			$where[] = 'account_lid '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote($username);
+			unset($where['account_lid']);
+		}
+		if (!($row = $this->db->select($this->table,'account_lid,account_lastpwd_change',$where,__LINE__,__FILE__)->fetch()) ||
+			$GLOBALS['egw_info']['server']['case_sensitive_username'] && $row['account_lid'] != $username)
+		{
+			return false;
+		}
+		// if this point is reached, we found a user with that name and return the account_lastpwd_change
+		$rv = $row['account_lastpwd_change'];
+
+		return $rv;
+	}
+
+	/**
+	 * changes account_lastpwd_change in sql datababse
+	 *
+	 * @param int $account_id account id of user whose passwd should be changed
+	 * @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
+	 * @param int $lastpwdchange must be a unixtimestamp
+	 * @return boolean true if account_lastpwd_change successful changed, false otherwise
+	 */
+	function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
+	{
+		$admin = True;
+		// Don't allow password changes for other accounts when using XML-RPC
+		if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
+		{
+			$admin = False;
+			$account_id = $GLOBALS['egw_info']['user']['account_id'];
+			$username = $GLOBALS['egw_info']['user']['account_lid'];
+		} 
+		else
+		{
+			$username = $GLOBALS['egw']->accounts->id2name($account_id);
+		}
+
+		if (($pw = $this->db->select($this->table,'account_pwd',array(
+			'account_id'     => $account_id,
+			'account_type'   => 'u',
+			'account_status' => 'A',
+		),__LINE__,__FILE__)->fetchColumn()) === false)
+		{
+			return false;	// account not found
+		}
+		// Check the passwd to make sure this is legal
+		if(!$admin && !auth::compare_password($passwd,$pw,$this->type,strtolower($username)))
+		{
+			return false;
+		}
+
+		$this->db->update($this->table,array(
+			'account_lastpwd_change' => ($lastpwdchange==NULL || $lastpwdchange<0 ? time():$lastpwdchange),
+		),array(
+			'account_id' => $account_id,
+		),__LINE__,__FILE__);
+
+		if(!$this->db->affected_rows()) return false;
+
+		return true;
+	}
+
 	/**
 	 * changes password in sql datababse
 	 *
@@ -125,6 +203,11 @@ class auth_sql implements auth_backend
 		{
 			$admin = False;
 			$account_id = $GLOBALS['egw_info']['user']['account_id'];
+			$username = $GLOBALS['egw_info']['user']['account_lid'];
+		} 
+		else
+		{
+			$username = $GLOBALS['egw']->accounts->id2name($account_id);
 		}
 
 		if (($pw = $this->db->select($this->table,'account_pwd',array(
diff --git a/phpgwapi/inc/class.auth_sqlssl.inc.php b/phpgwapi/inc/class.auth_sqlssl.inc.php
index d2a50f0ef7..686687850e 100644
--- a/phpgwapi/inc/class.auth_sqlssl.inc.php
+++ b/phpgwapi/inc/class.auth_sqlssl.inc.php
@@ -15,23 +15,8 @@
  * 
  * @todo rewrite using auth_sql backend class
  */
-class auth_sqlssl implements auth_backend
+class auth_sqlssl extends auth_sql
 {
-	/**
-	 * @var egw_db
-	 */
-	var $db;
-	var $table = 'egw_accounts';
-	var $previous_login = -1;
-
-	/**
-	 * Constructor
-	 */
-	function __construct()
-	{
-		$this->db = $GLOBALS['egw']->db;
-	}
-
 	/**
 	 * password authentication
 	 *
@@ -69,33 +54,4 @@ class auth_sqlssl implements auth_backend
 		}
 		return True;
 	}
-
-	/**
-	 * changes password
-	 *
-	 * @param string $old_passwd must be cleartext or empty to not to be checked
-	 * @param string $new_passwd must be cleartext
-	 * @param int $account_id=0 account id of user whose passwd should be changed
-	 * @return boolean true if password successful changed, false otherwise
-	 */
-	function change_password($old_passwd, $new_passwd, $account_id = 0)
-	{
-		if(!$account_id)
-		{
-			$account_id = $GLOBALS['egw_info']['user']['account_id'];
-		}
-
-		$encrypted_passwd = auth::encrypt_sql($new_passwd);
-
-		$GLOBALS['egw']->db->update($this->table,array(
-			'account_pwd' => $encrypted_passwd,
-			'account_lastpwd_change' => time(),
-		),array(
-			'account_id' => $account_id,
-		),__LINE__,__FILE__);
-
-		$GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd);
-
-		return $encrypted_passwd;
-	}
 }