I am still troubled with the issue of a users password expiring, they get the messages to change, successfully change password. Then the next time that they login, the password loop begins again.
If you are using shadowAccount objectclass for passwords (versus password policies), I had this same issue until I enable self-write access to the shadowLastChange attribute.
In Directory tab, select root domain
Right click and Select Set Access Permissions Select "Enable self-write for common attributes" and click on Edit Select "Self" and click on Edit Manually button.
After "userPassword", insert "|| shadowLastChange " and click on OK and again on OK on the parent window.