Chances are, your userPassword value is already encrypted (HASHED).

This is working as design and expected. When CA Directory Password Policy is enable and effective, the DSA cannot determine password quality when presented with a HASHED version of (i.e. already encrypted) password value.

e.g. if adding or modifying a user via LDIF, you may have something like following:

dn: cn=Craig LINK,ou=Administration,ou=Corporate,o=democorp,c=au
postalAddress: 83 Venton Road$Hobart TAS
postalCode: 7000
sn: LINK
telephoneNumber: 544 3697
userPassword: {SSHA}encryption_of_the_password
title: Group Secretary
cn: Craig LINK
description: Product Distribution
mail: [email protected]
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top

With password policy enabled, DSA expects the password to be in clear text so it can encrypt/hash the value on it's own before storing it. DSA cannot re-encrypt an already encrypted value (i.e. double encryption) for 'userPassword' attribute. Solution would be to use clear text value.