diff --git a/src/main/java/org/olat/core/gui/control/DefaultController.java b/src/main/java/org/olat/core/gui/control/DefaultController.java
index 4c07aba0b5be30d46f1eea89ac02d1a29b00368f..18e86b10211863e4461ec2e635c3770d29809504 100644
--- a/src/main/java/org/olat/core/gui/control/DefaultController.java
+++ b/src/main/java/org/olat/core/gui/control/DefaultController.java
@@ -183,11 +183,12 @@ public abstract class DefaultController implements Controller, ControllerEventLi
 	 * @param ores
 	 */
 	protected void fireEvent(UserRequest ureq, Event event) {
-		if (listeners == null) return;
-		for (Iterator<ControllerEventListener> iter = listeners.iterator(); iter.hasNext();) {
-			ControllerEventListener listener = iter.next();
-			if (log.isDebug()) log.debug("Controller event: "+this.getClass().getName()+": fires event to: "+listener.getClass().getName());
-			listener.dispatchEvent(ureq, this, event);
+		if (listeners != null && listeners.size() > 0) {
+			ControllerEventListener[] listenerArr = listeners.toArray(new ControllerEventListener[listeners.size()]);
+			for (ControllerEventListener listener:listenerArr) {
+				if (log.isDebug()) log.debug("Controller event: "+this.getClass().getName()+": fires event to: "+listener.getClass().getName());
+				listener.dispatchEvent(ureq, this, event);
+			}
 		}
 	}
 
diff --git a/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java b/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java
index 4955cf1db95e5253d248421f90d3f36c25315ddc..c678d603ed9745d9cfd038f695f720e5ee9d6ac8 100644
--- a/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java
+++ b/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java
@@ -45,7 +45,6 @@ import org.olat.core.id.Identity;
 import org.olat.core.id.context.ContextEntry;
 import org.olat.core.id.context.StateEntry;
 import org.olat.core.logging.OLATRuntimeException;
-import org.olat.core.logging.OLATSecurityException;
 import org.olat.core.logging.OLog;
 import org.olat.core.logging.Tracing;
 import org.olat.core.util.StringHelper;
@@ -130,18 +129,18 @@ public class LDAPAuthenticationController extends AuthenticationController imple
 	protected void openChangePassword(UserRequest ureq, String initialEmail) {
 		// double-check if allowed first
 		if (!UserModule.isPwdchangeallowed(ureq.getIdentity()) || !ldapLoginModule.isPropagatePasswordChangedOnLdapServer()) {
-			throw new OLATSecurityException("chose password to be changed, but disallowed by config");
+			showError("error.password.change.not.allow");
+		} else {
+			removeAsListenerAndDispose(cmc);
+			removeAsListenerAndDispose(subController);
+			
+			subController = new PwChangeController(ureq, getWindowControl(), initialEmail, true);
+			listenTo(subController);
+			String title = ((PwChangeController)subController).getWizardTitle();
+			cmc = new CloseableModalController(getWindowControl(), translate("close"), subController.getInitialComponent(), true, title);
+			listenTo(cmc);
+			cmc.activate();
 		}
-
-		removeAsListenerAndDispose(cmc);
-		removeAsListenerAndDispose(subController);
-		
-		subController = new PwChangeController(ureq, getWindowControl(), initialEmail, true);
-		listenTo(subController);
-		String title = ((PwChangeController)subController).getWizardTitle();
-		cmc = new CloseableModalController(getWindowControl(), translate("close"), subController.getInitialComponent(), true, title);
-		listenTo(cmc);
-		cmc.activate();
 	}
 	
 	protected void event(UserRequest ureq, Controller source, Event event) {
diff --git a/src/main/java/org/olat/ldap/ui/_i18n/LocalStrings_de.properties b/src/main/java/org/olat/ldap/ui/_i18n/LocalStrings_de.properties
index 3fdee37652083f6969222c46d2840456afa86b30..e71369cfd111bfc285556fd6f240bac454327c68 100644
--- a/src/main/java/org/olat/ldap/ui/_i18n/LocalStrings_de.properties
+++ b/src/main/java/org/olat/ldap/ui/_i18n/LocalStrings_de.properties
@@ -28,6 +28,7 @@ delete.step0.content=Selektiern Sie die Benutzer die Sie l\u00F6schen m\u00F6cht
 delete.step0.description=Benutzer ausw\u00E4hlen
 delete.step1.content.nothingToDelete=Keine Benutzer wurden selektiert, gehen Sie einen Schritt zur\u00FCck um welche zu selektieren oder "Fertigstellen" um keine zu l\u00F6schen.
 delete.step1.description=Best\u00E4tigen
+error.password.change.not.allow=Sie sind mit einem LDAP-Zugang in OpenOLAT angemeldet. Um ihr Passwort zu \u00E4ndern kontaktieren Sie bitte ihren zust\u00E4ndigen Systemadministrator.
 lf.error.loginempty=Bitte geben Sie Ihren LDAP Benutzernamen ein.
 lf.error.passempty=Bitte geben Sie Ihr LDAP Passwort ein.
 lf.login=LDAP-Benutzername