I get the trick of setting a password policy to force a password change on the next login, and I've implemented.
What I think I'm missing is the piece that goes into the login process somewhere and actually checks the need for a reset and forces the execution of [ldap]passwd as the first thing the user does after login. Is that part documented somewhere? Google buries me under the LDAP server end of the process.
David - Offbeat http://dafydd.livejournal.com
dafydd - Online http://pgp.mit.edu/
Battalion 4 - Black Rock City Emergency Services Department