diff --git a/clients/tools/common.c b/clients/tools/common.c
index 9d753701765beee8cb85762da7a202d59716acab..2658fcd2bcbafa0e341bdc61fddb314a29f037c4 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -1570,20 +1570,20 @@ tool_bind( LDAP *ld )
 #endif
 
 #ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
-	if ( ctrls ) {
-		LDAPControl *ctrl;
-		ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRED,
-			ctrls, NULL );
-		if ( !ctrl )
-			ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRING,
+		if ( ctrls ) {
+			LDAPControl *ctrl;
+			ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRED,
 				ctrls, NULL );
-		if ( ctrl ) {
-			LDAPControl *ctmp[2];
-			ctmp[0] = ctrl;
-			ctmp[1] = NULL;
-			tool_print_ctrls( ld, ctmp );
+			if ( !ctrl )
+				ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRING,
+					ctrls, NULL );
+			if ( ctrl ) {
+				LDAPControl *ctmp[2];
+				ctmp[0] = ctrl;
+				ctmp[1] = NULL;
+				tool_print_ctrls( ld, ctmp );
+			}
 		}
-	}
 #endif
 
 		if ( ctrls ) {
diff --git a/tests/scripts/test022-ppolicy b/tests/scripts/test022-ppolicy
index 904497832b191faf0f92e4a5776d3ffde5d023f1..3bb2d0ee611cc7d236aec093b6020a25c5cbb462 100755
--- a/tests/scripts/test022-ppolicy
+++ b/tests/scripts/test022-ppolicy
@@ -142,7 +142,7 @@ fi
 echo "Filling password history..."
 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: $PASS
@@ -150,7 +150,7 @@ userpassword: $PASS
 replace: userpassword
 userpassword: 20urgle12-1
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-1
@@ -158,7 +158,7 @@ userpassword: 20urgle12-1
 replace: userpassword
 userpassword: 20urgle12-2
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-2
@@ -166,7 +166,7 @@ userpassword: 20urgle12-2
 replace: userpassword
 userpassword: 20urgle12-3
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-3
@@ -174,7 +174,7 @@ userpassword: 20urgle12-3
 replace: userpassword
 userpassword: 20urgle12-4
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-4
@@ -182,7 +182,7 @@ userpassword: 20urgle12-4
 replace: userpassword
 userpassword: 20urgle12-5
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-5
@@ -200,7 +200,7 @@ fi
 echo "Testing password history..."
 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userPassword
 userPassword: 20urgle12-6
@@ -220,7 +220,7 @@ echo "Testing forced reset..."
 
 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 replace: userPassword
 userPassword: $PASS
@@ -256,7 +256,7 @@ echo "Clearing forced reset..."
 
 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: pwdReset
 
@@ -557,6 +557,98 @@ fi
 
 fi
 
+echo ""
+echo "Testing obsolete Netscape ppolicy controls..."
+echo "Enabling Netscape controls..."
+$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
+changetype: modify
+replace: olcPPolicySendNetscapeControls
+olcPPolicySendNetscapeControls: TRUE
+-
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Reconfiguring policy to remove grace logins..."
+$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: cn=Standard Policy, ou=Policies, dc=example, dc=com
+changetype: modify
+delete: pwdGraceAuthnLimit
+-
+replace: pwdMaxAge
+pwdMaxAge: 15
+-
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+OLDPASS=$PASS
+PASS=newpass
+$LDAPPASSWD -H $URI1 \
+	-w secret -s $PASS \
+	-D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "Setting new password failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Clearing forced reset..."
+$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: $USER
+changetype: modify
+delete: pwdReset
+
+EOMODS
+
+DELAY=10
+
+echo "Testing password expiration"
+echo "Waiting $DELAY seconds for password to expire..."
+sleep $DELAY
+
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+RC=$?
+if test $RC = 0 ; then
+	echo "Password expiration failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l`
+if test $COUNT = 0 ; then
+	echo "Password expiring warning test failed!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
 echo ">>>>> Test succeeded"