I know it’s been changed because it’s my test user and I’ve changed it. I’ve checked and it doesn’t
Seem to be broken on a per user basis, it seems to not be working globally.
I’m can also run it directly against the master using ldappassword and get the same results.
Do you have any clue (from the access log for example), that this user’s password
has been successfully changed after 20110606211056Z ?
Or is there any chance that the password was changed while the policy overlay wasn’t loaded,
which could occur if it was changed on a misconfigured replica for example.