We need to hang on to the user's (old) password when the policy error is change-after-reset, too, just as we do for password-expired. As far as the end-user and we are concerned, they're pretty much the same policy error. diff -up pam_ldap-176/pam_ldap.c pam_ldap-176/pam_ldap.c --- pam_ldap-176/pam_ldap.c 2007-10-02 14:23:26.000000000 -0400 +++ pam_ldap-176/pam_ldap.c 2007-10-02 14:25:24.000000000 -0400 @@ -2121,8 +2121,9 @@ _connect_as_user (pam_handle_t * pamh, p * us to preserve the userpw for subsequent binds to a master server * in case we're doing referrals */ - if (session->info->policy_error != POLICY_ERROR_SUCCESS && - session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED) + if ((session->info->policy_error != POLICY_ERROR_SUCCESS) && + (session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED) && + (session->info->policy_error != POLICY_ERROR_CHANGE_AFTER_RESET)) { _pam_overwrite (session->info->userpw); _pam_drop (session->info->userpw);