ACLs and password policies

[Roy Ledochowski <rledo@us.ibm.com>]

Hi All--

I just recently implemented the ppolicy module and now my users can't 
change their passwords using the 'passwd' utility.  I see the following 
error in syslog (linux):

pam_ldap: ldap_extended_operation_s Insufficient access

Passwd returns the following:

[root@wpclab-pdc prd]# passwd tester
Changing password for user tester.
New password: 
Retype new password: 
LDAP password information update failed: Unknown error
Must supply old password to be changed as well as new one
passwd: Permission denied


I'm using PADL's nss_ldap and pam_ldap.  If I bind as manager, passwd 
works correctly.  If I bind has my proxy user, I get the above errors.  I 
realize this is most likely an ACL problem, so here's the relevant part of 
my ACL file:

access to 
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,pwdChangedTime,pwdAccountLockedTime,pwdFailureTime,pwdHistory,pwdGraceUseTime,pwdReset
        by dn="cn=ldap_repl,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
      by dn="cn=samba,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
      by dn="cn=smbldap-tools,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
      by dn="cn=nssldap,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
      by dn="cn=ldapux,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
      by dn="cn=solaris,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
      by self write
        by * auth


pam_ldap binds as nssldap.

The ppolicy entries are world-readable, but not writable to the proxy user 
because I could not see a need for it.

Any help would be greatly appreciated

thanks
roy