CA Directory does not allow a user to bind when password policy has password-age=99999 and user's password is quite old (more than 578 day).

CA Directory returns error 49 (invalid credentials)

If tracing is set to x500 the trace log contains "Password too old" message

The password-last-use setting causes similar behavior.

Release : CA Directory 12.x, 14.x

This is caused by a bug in CA Directory that causes arithmetic overflow when comparing password-age value and dxPwdLastChange value.

Use of password-age=0 eliminates this problem.

However with password-age=0 setting CA Directory does not update dxPwdLastChange for existing users, and does not create that operational attribute for new users, which may be required.

The solution is to use password-age=18000 and password-last-use=18000 in the password policy. Do not attempt to set values higher than 18000.

This bug will be fixed in CA Directory future releases.