pwdReset: TRUE not working

[Jason Cwik <jason@cwik.org>]

Hi,

I've recently configured a new openldap 2.4.32 server with the ppolicy
overlay.  Most of the features like lockout and minLength work fine,
but I can't seem to force the user's password to expire.  I've even
set pwdReset: TRUE on the user's record to try and force them to reset
the password, but it doesn't seem to do anything.

Here's my overlay config:

MBP2:~ me$ ldapsearch -h 10.242.25.158 -D "cn=root,cn=config" -x -W -b
"cn=config" -s  sub "olcOverlay=ppolicy"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcOverlay=ppolicy
# requesting: ALL
#

# {1}ppolicy, {1}bdb, config
dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {1}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=my,dc=domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

And the default pwdPolicy object:

MBP2:~ me$ ldapsearch -h 10.242.25.158 -D
"cn=ldapadmin,dc=my,dc=domain,dc=com" -x -W -b
"ou=policies,dc=my,dc=domain,dc=com" -s sub "cn=default"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=policies,dc=my,dc=domain,dc=com> with scope subtree
# filter: cn=default
# requesting: ALL
#

# default, policies, my.domain.com
dn: cn=default,ou=policies,dc=my,dc=domain,dc=com
objectClass: person
objectClass: top
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
pwdCheckQuality: 2
pwdExpireWarning: 0
pwdFailureCountInterval: 30
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 11555200
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: TRUE
pwdSafeModify: TRUE
sn: dummy value


I turned on trace debugging and I do see it successfully loading
cn=default,ou=policies,dc=my,dc=domain,dc=com during the bind
operation, so it appears that ppolicy is running fine and loading the
policy object.

Any ideas?