Ticket #47492 - PassSync removes User must change password flag on the Windows side
Bug description: Windows Sync sends password modify even if it is
from PassSync originated on AD. The modify updates the pwdLastSet
attribute value to non-zero value. The value 0 indicates the pass-
word must change at next logon on AD.
Fix description: Before sending the password modify, check whether
the current pwdLastSet value is 0 or not. If it is 0 (means the
password must change), reset pwdLastSet value to 0 along with the
password modify. This operation replaces the password on AD, but
the password still must change at next logon.
Note: If "password must change at next logon" on the both DS and AD,
the password needs to be changed by the user on the both servers to
enable it on each.
https://fedorahosted.org/389/ticket/47492
Reviewed by Rich (Thank you!!)
(cherry picked from commit f9d1d9e08225e5885b76cede4da677708892ee7a)
(cherry picked from commit 8d34f77f6d8d3c83dce1f29e6df709df1adef09d)