I have some issues with ppolicy. It seems it recognizes expiration dates (I know this from looking in the logs, but it does not warn the user their password is expiring soon), properly locks out accounts with too many failed logins but it cannot seem to force a password change when pwdReset is set to TRUE, nor does it prevent logins when the password has expired. Any help would be greatly appreciated. I'll post the things of importance below. Please let me know if anything else would help.

[root@ldapserver ~]# ldapsearch -x -LLL cn=default dn: cn=default,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdSafeModify: FALSE pwdLockoutDuration: 900 pwdExpireWarning: 432000 pwdGraceAuthNLimit: 1 pwdAllowUserChange: TRUE pwdMaxAge: 7776000

From slapd.conf overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com" ppolicy_use_lockout