According to the source code, it seems you're right. But according to the OpenLDAP 2.4 admin guide
(http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Configuration),
it should be wrong, or at least, it doesn't look consistent to me since it mentions the following (when
pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the
administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password needs to be changed at the first bind, or when the
administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
pwdMustChange This attribute specifies whether users must change their passwords when they first bind to the directory after a password is set or reset by the administrator, or not. If pwdMustChange has a value of "TRUE", users must change their passwords when they first bind to the directory after a password is set or reset by the administrator.