LDAPWiki were been asked by several companies to reduce their help desk calls that were based on password changes and password reset requests.
LDAPWiki have written several custom Password Management applications including some that work with Novell's Challenge-Response implementation.
LDAPWiki have also implemented methods to allow pre-population of the Novell's Challenge-Response implementation form values on the user's attributes.
One of the most interesting of the clients requirement was to display the password to the user if they forgot their password.
The client has a Novell IDM infrastructure that synchronizes passwords from LDAP (eDirectory) to and form Active Directory. There are many other password stores in which passwords are synchronized from their LDAP to the other password stores. Some of the password stores are: RACF, DB2, Oracle, a Point Of Sale system and Retail Management System.
If the user would change the password from LDAP, then the Lotus Notes ID file password would no longer be in-sync with the rest of the users passwords.
In addition, provided the user answered their challenge-response questions correctly, the client wanted to un-lock the user's account within Active Directory if the account was locked.
The Client's Primary user platform (97%) was Windows XP. A few MACs and a few Linux users were also present.
Novell (and I assume others) provide methodologies to allow the user to access a browser prior to logging into the desktop. Novell implements the Client Login Extension.
Novell's eDirectory implements a supportedSASLMechanisms=NMAS_LOGIN. This method allows a user to perform a SASL bind to LDAP. When the user submits their challenge responses to the LDAP server and if the submitted responses are correct, then the user has an authenticated connection to the LDAP server.
This allows the user to retrieve their current password.
We have further enhanced this offering and can provide it to your organization for a reasonable cost. See Automated Password Self Service