Grace login for expired password

My thai customer chatted me today. He explained that the password policy which we implemented some time back is such that user's password will expire every 30 days (typical of a bank). Once the password expires, user will not be allowed to login.

Now, he wants a feature such that there is a grace login limit such that even though password has expired, the Sun Directory Server still allows authentication to pass through.

Well, this request can be easily fulfilled with Sun Directory Server 6.2 onwards. The latest release implements New Password Policy - one of it being 

A grace login limit, specified by the pwdGraceAuthNLimit attribute. This attribute specifies the number of times an expired password can be used to authenticate. If it is not present or if it is set to 0, authentication will fail.

However, do note that the compatibility mode needs to set to DS6-mode. By default, Sun Directory Server 6.x comes installed with DS5-compatible-mode.