I believe I have everything configured correctly. But clearly I'm missing something. Users can authenticate and that all works. If I expire a password, it recognizes that it is expired. It recognizes that part of our password policy requires 7 characters. I enter a new password that fits the policy and I get the error message:
"Cannot complete password change because the password does not meet the password policy requirements"
Here is a debug of the session when I attempt to change the password.
 Session Start
 New request Session, context 0xabb4ddd8, reqType = Modify Password
 Fiber started
 Creating LDAP context with uri=ldaps://192.168.8.1:636
 Connect to LDAP server: ldaps://192.168.8.1:636, status = Successful
 supportedLDAPVersion: value = 3
 supportedLDAPVersion: value = 2
 Binding as LDAP User
 Performing Simple authentication for LDAP User to 192.168.8.1
 LDAP Search:
Base DN = [ou=People, dc=<redacted>, dc=com]
Filter = [sAMAccountName=<redacted>]
Scope = [SUBTREE]
 User DN = [CN=<redacted>,OU=Woodstock,OU=People,DC=<redacted>,DC=com]
 Talking to Active Directory server 192.168.8.1
 Reading password policy for <redacted>, dn:CN=<redacted>,OU=Woodstock,OU=People,DC=<redacted>,DC=com
The "Account Operators" group can change user information, except it cannot change the Domain Administrators group or any of its members.
I was using my own account for testing and I am in the Domain Admins group. When I created a typical user account with which to test, the password changed worked with the LDAP account user being in the "Account Operators" group only.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...