In password policies, note that when expire-without-warning is 'false' and grace-logins is '0' users may bind to directory server successfully when the password is expired, that is, the time (pwdChangedTime + maxPasswordAge) has passed. Users may continue to bind successfully to directory server under these conditions for the length of time specified by password-expiration-warning-interval, after which the password expires and must be reset.
The clock that counts down from password-expiration-warning-interval starts with the first successful bind after the password has expired. This means that users can bind successfully to directory after their password has expired for the length of time specified by password-expiration-interval after the password has expired.
By way of example, if a users' password expired on Jan. 1, 2011 and the password-expiration-warning-interval is 1 day, and the user has not BINDed to directory server since the password expired, the next time the user BINDs with valid credentials starts a 24-hour clock (1 day password-expiration-warning-interval) during which time the user may BIND successfully. After 24 hours has passed the users' password must be reset.