The issue that I am having is that when a password expires in
eDirectory (sync from AD to eDir) the LDAP server is still allowing
users to login with an expired password to the ichain Portal. In our
LDAP server in UP the Grace Login is not set in to any value.

Shown below is the Password policy of the LDAP server.

My questions are:

1. Is the grace login not being set causing the issue?
2. What is the impact to existing users with unexpired password if we
are to set a value let say 5 Grace logins.?
3. In AD-IDV driver policy if I am going to change the
nspmDistributionPassword to *Publisher* -Ignore-/*Subscriber*
-Notify-/*Merge *-None-/*Optimise* -No- , would it make any difference
at all? at the moment the config is *Publisher* Sync / *Subscriber*
Sync / *Merge *-None-/*Optimise* -No-


Enable Universal Password true
Enable the Advanced Password Rules true
Synchronize NDS password when setting Universal Password true
Synchronize Simple Password when setting Universal Password false
Allow user to retrieve password true
Allow admin to retrieve passwords false
Synchronize Distribution Password when setting Universal Password true

Verify whether existing passwords comply with the password policy
(verification occurs on login) true

Allow user to initiate password change true
Require unique passwords true
Limit the number of passwords to store in the history list 12
Limit the number of days to store a password in the history list 30
Number of days before password expires 45
Minimum number of characters in password 6
Allow numeric characters in password true
Disallow numeric as first character false
Disallow numeric as last character false
Allow the password to be case sensitive true
Allow special characters in the password true
Disallow special character as first character false
Disallow special character as last character false

Any idea?