I'm trying to migrate my organization of FDS, but policy requires a 90 day password expiration, and pam_ldap modules aren't forcing password changes even after the password expired.


I saw in a thread back from 2011 that somebody was having an issue where setting passwordExpirationTime to 19700101000000Z would force a change, but 19700101000001Z wouldn't.  Well... even setting to 19700101000000Z doesn't work for me.


intdns1-01-lv:~ mpatenaude$ luser mitchtest2

dn: uid=mitchtest2,ou=People,dc=prod,dc=shutterfly,dc=com

passwordExpirationTime: 19700101000000Z

loginShell: /bin/bash

uid: mitchtest2

cn: Mitch Test2

givenName: Mitch

sn: Test2

mail: mitchtest2@shutterfly.com

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

objectClass: ldapPublicKey

uidNumber: 5134

gidNumber: 5134

homeDirectory: /home/mitchtest2

gecos: Mitch Test2


But it lets that account log in without prompting for a password change. 


Any ideas?