We've setup an 389 Directory Server on a Fedora21 and configured synchronization with an Active Directory (running on an Windows2012R2 Datacenter). We've managed to synchronize all the accounts from the 389DS to AD (about 44000). All the accounts have the "user must change password at next logon" in the AD, even if the users change their passwords on the 389DS, The password gets to the AD, but the flag for "user must change password at next logon" still remains active (basically forces the user to change their password on the Active Directory). Is there any workaround for this?

The attribute passwordMustChange in the 389DS is set to Off.

Thank you,

Mihai Carabas

University POLITEHNICA of Bucharest