[389-users] Re: pam_ldap not respecting passwordExpirationTime

I'm trying to migrate my organization of FDS, but policy requires a 90 day password expiration, and pam_ldap modules aren't forcing password changes even after the password expired. I saw in a thread back from 2011 that somebody was having an issue where setting passwordExpirationTime to 19700101000000Z would force a change, but 19700101000001Z wouldn't. Well... even setting to 19700101000000Z doesn't work for me. intdns1-01-lv:~ mpatenaude$ luser mitchtest2 dn: uid=mitchtest2,ou=People,dc=prod,dc=shutterfly,dc=com passwordExpirationTime: 19700101000000Z loginShell: /bin/bash uid: mitchtest2 cn: Mitch Test2 givenName: Mitch sn: Test2 mail: mitchtest2(a)shutterfly.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: ldapPublicKey uidNumber: 5134 gidNumber: 5134 homeDirectory: /home/mitchtest2 gecos: Mitch Test2 But it lets that account log in without prompting for a password change. Any ideas?