We ran into a similar issue with handling password expirations. I add the following code to an 'LDAP Query' object in the Access Policy (on the successful branch from the 'LDAP Auth' object:
Expression: set timeStamp [mcget {session.ldap.last.attr.passwordExpirationTime}]; set year [string range $timeStamp 0 3]; set month [string range $timeStamp 4 5]; set day [string range $timeStamp 6 7]; set hour [string range $timeStamp 8 9]; set minute [string range $timeStamp 10 11]; set second [string range $timeStamp 12 13]; set PXT [clock scan "$month/$day/$year $hour:$minute:$second" -gmt true]; set now [clock seconds]; expr {$PXT <= $now}
If the expression is true it branches to a 'Redirect Ending' in the policy which redirects the user to the URL that handles the password change..
(This works with the timestamp that Novell uses in eDirectory)
Nimbostratus