Re-commit RACF mode with preg_match_all fix

A change got missed in the bulk merge... the verify of the bind()
with expired password (testing for expiry in the extended response)
was lost.  Also, the testing for invalid characters in the password
seemed to have suffered from a change in the `preg_match_all` behaviour
with PHP 8 -- it failed because the '/' character was in the pattern
and that char was the delimiter of the regex in the code.  Since "|" is
a valid char, I've used that as the regex delimiter.

htdocs/change.php

@@ -118,25 +118,27 @@
                     if ( $errno ) {
                         error_log("LDAP - Bind user error $errno  (".ldap_error($ldap).")");
                     }
-                    if ( ($errno == 49) && $ad_mode ) {
+                    if ( ($errno == 49) ) {
                         if ( ldap_get_option($ldap, 0x0032, $extended_error) ) {
                             error_log("LDAP - Bind user extended_error $extended_error  (".ldap_error($ldap).")");
                             $extended_error = explode(', ', $extended_error);
-                            if ( strpos($extended_error[2], '773') or strpos($extended_error[0], 'NT_STATUS_PASSWORD_MUST_CHANGE') ) {
-                                error_log("LDAP - Bind user password needs to be changed");
-                                $who_change_password = "manager";
-                                $result = "";
-                            }
-                            if ( ( strpos($extended_error[2], '532') or strpos($extended_error[0], 'NT_STATUS_ACCOUNT_EXPIRED') ) and $ad_options['change_expired_password'] ) {
-                                error_log("LDAP - Bind user password is expired");
-                                $who_change_password = "manager";
-                                $result = "";
+                            if ( $ad_mode ) {
+                                if ( strpos($extended_error[2], '773') or strpos($extended_error[0], 'NT_STATUS_PASSWORD_MUST_CHANGE') ) {
+                                    error_log("LDAP - Bind user password needs to be changed");
+                                    $who_change_password = "manager";
+                                    $result = "";
+                                }
+                                if ( ( strpos($extended_error[2], '532') or strpos($extended_error[0], 'NT_STATUS_ACCOUNT_EXPIRED') ) and $ad_options['change_expired_password'] ) {
+                                    error_log("LDAP - Bind user password is expired");
+                                    $who_change_password = "manager";
+                                    $result = "";
+                                }
                             }
                             if ( $racf_mode ) {
-                              if ( strpos($extended_error[0], 'expired') ) {
-                                error_log("LDAP - Bind user password is expired");
-                                $result = "";
-                              }
+                                if ( strpos($extended_error[0], 'expired') ) {
+                                    error_log("LDAP - Bind user password is expired");
+                                    $result = "";
+                                }
                             }
                             unset($extended_error);
                         }

lib/functions.inc.php

@@ -258,7 +258,7 @@ function check_password_strength( $password, $oldpassword, $pwd_policy_config, $
 
     $forbidden = 0;
     if ( isset($pwd_forbidden_chars) && !empty($pwd_forbidden_chars) ) {
-        preg_match_all("/[$pwd_forbidden_chars]/", $password, $forbidden_res);
+        preg_match_all("|[$pwd_forbidden_chars]|", $password, $forbidden_res);
         $forbidden = count( $forbidden_res[0] );
     }