[389-users] admin account expires, expire time refuses to update

[Brandon G]

I am in a curious situation (and by curious I mean frustratingly 
annoying). I have enabled strong password policies, including 
expirations, across my tree (policy of the site).  This has since 
effected my 'admin' account in 
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot.  I 
discovered this was happening when I was no longer to login to the 
IDM/admin console.

Unfortunately, the IDM gave a very obtuse error about not being able to 
find an object.  I discovered the real problem when I tried an 
ldapsearch with the admin uid, and it then returned password expired.  
This is a side issue, not part of the core problem.

I used ldapmodify with "cn=directory  manager" and changed the password 
hash.  I can then login with IDM again.  I then go (in IDM) to the admin 
account and I change passwordexpirationtime to be 2040........Z (i.e. 
some time in the distant future).  I save this change; restart the 
directory server and the account is expired again.  If I go through the 
same reset process and pull up the value, it has not committed the 
passwordexpirationtime attribute, it is back to the original 
setting(!?)  To be even more confusing, if I do an ldapsearch on the 
uid=admin account, it doesn't even show the passwordexpirationtime 
attribute (and thus cannot be updated).  I can only see/change this via IDM.

Can anybody explain this behavior? Is there a better way to exclude the 
admin account from the password policies of the server? Can somebody 
explain why I can see some attributes on uid=admin that cannot be seen 
with ldapsearch?

Versions:

389-ds-console-1.2.0-5
389-admin-1.1.9-1
389-admin-console-1.1.4-2
389-console-1.1.3-5
389-ds-base-1.2.3-1
389-admin-console-doc-1.1.4-2
389-adminutil-1.1.8-4
389-ds-console-doc-1.2.0-5
389-dsgw-1.1.4-1
389-ds-1.1.3-5
RHEL 5.5

Any help/insight into this matter would be greatly appreciated.

-B.G.