This article lists some caveats with password management that exist with an LDAP authentication server instance configured on PCS or PPS devices.
Problem or Goal
Password Management must be enabled at the realm level if the administrator wants to enable password expirations or require a user to change their password at the next log-on. This setting is enabled by default.
To enable password management go to User Realms > <realm> > Authentication Policy > Password
When using Sun One/iPlanet as an Authentication server and the password policy in iPlanet enforces both “password expiration in X days” and “allow password change after Y days”, if the user's password is reset (or changed) then the user’s profile will have a new password expiration date. However, if the password expiration time frame is changed (for example from 10 days to 20 days), then the user’s profile will still show the old password expiration date. This is a limitation of Sun One/iPlanet.
AD Domain Controllers synchronize security policy settings every 5 minutes. If a change is made to the security policy, for example “minimum password length”, it could take up to 5 minutes before that change propagates to all domain controllers. This also applies to the domain controller that the change was originally performed on.