I have 2 questions.

First - we are currently working on populating a tree that will be used
ONLY for LDAP authentication. This is a new tree and we are populating
it with an LDAP sync process (push to IDM) with Datatel Colleague (a
Unidata personnel DB). This is a Colleague process and is not done with
an IDM driver. We've noticed a difference in what happens when someone
logins into the UA for the first time depending on whether their account
was manually created or created with the LDAP sync. If you create a
user manually in a container that has a password policy on it, the user
will be prompted immediately to change their password and then to set
their Challenge Response questions. If the user is created through the
sync process (in the same container), the user is prompted for Challenge
Response only even though they are on grace logins.

I figure that there must be a bit somewhere in the system that says to
prompt to change password and I'm wondering if someone can tell me what
attribute it is so that we can add it to our sync process.

Second - in a similar vein as the question above, is there a way to
prevent a user from making an LDAP bind to anything other than the UA if
they are using grace logins? We'd like to prevent the depletion of
grace logins and the need for an admin reset.