Updating the password policy state in an entry is fragile, and vulnerable to the state being changed in between it being read and it being updated.
This could occur if two binds on an entry were processed on 2 servers in parallel. One server might see:
MODIFY REQ type=sync
BIND REQ (reads the old state)
MODIFY RES (changes to new state)
BIND RES (updates the wrong state)
Note the bind currently takes a read lock. A write lock might be more appropriate here?