How is the pwdMustChange policy supposed to be applied to ldap clients? Doesn't this need support in the client? I'm sure ldapsearch(1), for example, can't change the userPassword attribute, but it can authenticate without problems. So how is this policy going to be enforced?