What you want to achieve is not possible via the OpenVMS authentication module.
First, If a user's password is expired, he won't be allowed access when user-authentication is enabled in Apache. Nor is access allowed when the user's account is captive or has the flag DISUSER set.
Second: Apache - and all CGI-scripts that are invoked - run under the (non-privileged) user APACHE$WWW, and therefore, changing password (for another user!) is not allowed.
It might be that the SUEXEC module allows you to do this, I have no experience with it. I just know that there is some extra security built-in that allowes just users mentioned in a separate Apache file to run scripts under their name. That would require an extra synchronisation between SYSUAF and this file - to be executed by system management.
Furthermore, it won't work if that page is protected by the authentication module, for the fore-mentioned reasons.
Another, and IMHO a better approach, is warning that the password is about to expire, like VMS does by standard, allowing the user to take action in advance. But that would require a privileged image to be used, in order to allow APACHE$WWW the retrieve this data (based on REMOTE_USER symbol) and set this user's new password (based on this user's input).
Willem
Willem Grooters
OpenVMS Developer & System Manager
