Falls mal jemand das gleiche Problem hat hier die Lösung.
In der Policy Security Setting muss Enforce Password Expiration unbedingt auf Disabled gesetzt werden.
Info von IBM Support dazu:
Entering an old password and a new password here gives the user a message that the password was changed ... but this does not appear to effect future authentications with this server. On the next authentication attempt, the user must continue to use the "old password". The "new password" does not appear to get stored anywhere.
The point of this SPR is to allow an administrator to create a security policy that enforces Internet password expiration *if* the user was authenticated by Domino's HTTP password (meaning it used the Domino directory), and not enforce that expiration policy if any other authentication means were used. So, it would be possible to have an HTTP password of foo (or even null) and an LDAP password of bar. When foo was used password expiration would be enforced. When bar was used, it would not be.
Internally we are hitting this problem in the Iris Domain on Gemini/Iris, which is using Directory assistance to authenticate users coming in through the HTTP server with IBM's bluepages ldap server. The Iris admins switched the password policies to enforce Internet password expiration a while back, and we believe we have been hitting this issue since then.
Note that this problem does not occur in the 8.0.2 code stream - we have an identical server configuration running on Banshee/Iris with the 8.0.2 code. Peter Mierswa has debugged this problem and says that the 8.0.2 code has since had other policy issues fixed in the 8.5 code stream and that this is likely the cause of the differing behavior.
Turn off the policy to check for expiration of the Internet password.
The work around for this issue is to have two security policies created; one for AD users and one for non-AD users which non-AD users
having the option "Enforce Password Expiration" set to "Notes & Internet".