LDAP/Groupwise webmail passwords not aligned/syncd or something

I have recently upgraded from GW12.3 to GW18.2.  System is configured to authenticate groupwise through ldap, with changing passwords through groupwise disabled.

Some users report that when logging into webmail, they receive a page that says they have a limited # of grace logins left, they click 'ok' and then get a page that says:

Change Your Password

Your administrator has turned on LDAP authentication. Use your directory services password to access your Online Mailbox. To change your password, use your director services. Please contact your administrator for further details.

then they're kicked out.  The thing is, their password is not expired (verified in iManager).  They have the full allocation of grace logins, and the graces not decrementing when logging in/out.

I've had them change their NDS password using the novell client, see and verify their new password is legit by having them logout/login to directory services.  But webmail continues to give them the above so they're not able to use webmail.  Their accounts in the GWadmin console are successfully synchronized (verified).

It's not everyone, only some.  One staff was brand-new, another has been around forever.  I cant seem to reproduce by creating/using a test user.

I'm not sure where to look/solve.