Chances are, your userPassword value is already encrypted (HASHED).
This is working as design and expected. When CA Directory Password Policy is enable and effective, the DSA cannot determine password quality when presented with a HASHED version of (i.e. already encrypted) password value.
e.g. if adding or modifying a user via LDIF, you may have something like following:
dn: cn=Craig LINK,ou=Administration,ou=Corporate,o=democorp,c=au
postalAddress: 83 Venton Road$Hobart TAS
telephoneNumber: 544 3697
title: Group Secretary
cn: Craig LINK
description: Product Distribution
mail: [email protected]
With password policy enabled, DSA expects the password to be in clear text so it can encrypt/hash the value on it's own before storing it. DSA cannot re-encrypt an already encrypted value (i.e. double encryption) for 'userPassword' attribute. Solution would be to use clear text value.