User connects to /user-settings page to change their password but it does not work. Services based on PAM (like IMAP) are not accessible.
A. WONTFIX: Password expiration with OpenLDAP is rarely used, we can live with this limitation. Users with expired passwords call and get a new password from the sysadmin.
B. REMOVE the feature completely starting from NS 7.10. The Password policy is removed from the UI, LDAP shadow* attributes are no longer enforced also in existing systems, which are forcibly migrated to a non-expiring password policy.
C. IMPLEMENT an alternative. New systems will be based on the new implementation. Old systems retain the current behavior. A manual migration path would be useful.
After a brief discussion with @giacomo and @nrauso, we found approach B is a good compromise:
A is a time-bomb, as it leaves the door open to sudden service lockouts
C is optimal but it seems it is not worth the effort for a feature that is rarely used