We create users from an LDIF script on a daily basis. These users are
created in our internal authentication tree and then synchronized across
to our external authentication tree using IDM 3.51 dirxml driver sets.
We also synchronize Passwords to AD from our internal authentication
When a user is created in the Internal authentication tree from the
ldif script it is created with an expired password.
This user creation is now passed over to the external authentication
tree using the IDM driverset and created in a flat tree for
authentication to iChain and other external facing resources.
The problem is that in the internal authentication tree the PED is
created in an expired state, but when the user is created in the other
tree 90 days are added to the expiry date and they are not in
This is causing problems as the users are being told they will be asked
to change their password at first logon, whether internal or external
authentication is used.
This is failing on external authentication because the password is not
I have tried to come up with a cause/solution but no success.
The UP password policy is set identical in both trees with 90 days
being the days to expire the password.
(AD password synch is OK as there is no expiry date configured on AD).

The old NDS password policy is set on all containers within the trees
to 90 days will this intefer with the UP policy?
It does not appear to matter how many users we create or modify the
results are the same.

mcunningham's Profile: http://forums.novell.com/member.php?userid=21632
View this thread: http://forums.novell.com/showthread.php?t=451257