I'm really banging my head trying to get the ppolicy overlay to work properly.
My only indication that I am partially on the right track is that if I set pwdSafeModify=TRUE in my default policy, then I get the following error from pam_ldap when changing my password. If I set it back to false, then I can change my password.
* I am assuming that the password policy is going to be enforced by ldap, so testing with pam_ldap is not necessary at this point. I should be able to use any client such as apache directory studio to test password policy.
slapd.conf: # ( I am aware that I have * write. this is just for desperate testing on a test box )
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/pwm.schema
include /etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ACL
#######################################################################
access to attrs=userPassword,pwmResponseSet,pwmToken
by dn="uid=root,ou=People,dc=example,dc=net" write
by dn="cn=svc_pam,ou=SVC_Accounts,dc=example,dc=net" write
by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write
by dn="cn=replica,dc=example,dc=net" read
by anonymous auth
by self write
by * none
access to *
by self write
by * write
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=example,dc=net"
rootdn "cn=admin,dc=example,dc=net"
rootpw {SMD5}*********
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=net"
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 100 10
directory /var/lib/ldap
loglevel 65535
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index contextCSN eq
index sudoUser eq
index entryCSN eq
index entryUUID eq