This issue is following this thread: https://lists.forgerock.org/pipermail/opendj/2014-April/003832.html
When a password is expired a bind return "invalid credential: expired" even if the password is not correct. By consequence I'm not able to define if the authentication request is well-founded or if it is a malicious one. User will always been redirected to the change password page and malicious user will know that this username exist.
Btw, even if the accound is locked, the password expired or reseted I try to do not disclosed the validity of the username and follow this flow "username/password => auth ok => check account usability".