Password policy-related errors
Enabling a password policy can sometimes cause unexpected errors.
When certain password policies are enabled, they can cause failures that may not be obvious. Review the following for help in troubleshooting password policy-related errors.
Bind with proper password fails with "invalid credentials": The password may have expired or the account may be locked. Look at the pwdchangedtime and pwdaccountlockedtime attributes of the entry.
Requests fail with "unwilling to perform" after a successful bind: The password may have been reset, in which case a bind will succeed, but the only operation permitted by the server is for the user to change his password. Other requests fail with "unwilling to perform" until the password has been changed.
Authentication with a password that has been reset behaves unexpectedly: When the password has been reset, the bind request will succeed, as described above. This means that a user may be able to authenticate indefinitely using a reset password.
Parent topic:
Troubleshooting Directory Server
Related reference
Password policy tips