Trouble getting ppolicy overlay to work

[D C <dc12078@gmail.com>]

I'm really banging my head trying to get the ppolicy overlay to work properly.

My only indication that I am partially on the right track is that if I set pwdSafeModify=TRUE in my default policy, then I get the following error from pam_ldap when changing my password.  If I set it back to false, then I can change my password.

LDAP password information update failed: Insufficient access

Must supply old password to be changed as well as new one

passwd: Authentication token manipulation error

However,  everything else in the policy is being ignored.  any help would be greatly appreciated.

Thanks!

* I am assuming that the password policy is going to be enforced by ldap, so testing with pam_ldap is not necessary at this point.  I should be able to use any client such as apache directory studio to test password policy.

Version Info:

CentOS 6.4

CentOS packaged openldap-servers-2.4.23

slapd.conf:   # ( I am aware that I have * write.  this is just for desperate testing on a test box )

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/sudo.schema

include         /etc/openldap/schema/pwm.schema

include         /etc/openldap/schema/ppolicy.schema

moduleload      ppolicy.la

moduleload      syncprov.la

# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

#######################################################################

# ACL

#######################################################################

access to attrs=userPassword,pwmResponseSet,pwmToken

        by dn="uid=root,ou=People,dc=example,dc=net" write

        by dn="cn=svc_pam,ou=SVC_Accounts,dc=example,dc=net" write

        by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write

        by dn="cn=replica,dc=example,dc=net" read

        by anonymous auth

        by self write

        by * none

access to *

        by self write

        by * write

#######################################################################

# ldbm and/or bdb database definitions

#######################################################################

database        bdb

suffix          "dc=example,dc=net"

rootdn          "cn=admin,dc=example,dc=net"

rootpw          {SMD5}*********

overlay ppolicy

ppolicy_default "cn=default,ou=policies,dc=example,dc=net"

ppolicy_use_lockout

                                                                                                                                              

overlay         syncprov

syncprov-checkpoint 100 10

directory       /var/lib/ldap

loglevel 65535

# Indices to maintain for this database

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

index contextCSN                        eq

index sudoUser                          eq

index entryCSN                          eq

index entryUUID                         eq

# default, policies, example.net

dn: cn=default,ou=policies,dc=example,dc=net

objectClass: top

objectClass: person

objectClass: pwdPolicy

cn: default

sn: default policy

pwdAttribute: userPassword

pwdMaxAge: 7776002

pwdExpireWarning: 432000

pwdInHistory: 3

pwdLockout: TRUE

pwdGraceAuthNLimit: 0

pwdMustChange: TRUE

pwdAllowUserChange: TRUE

pwdLockoutDuration: 45

pwdMaxFailure: 2

pwdFailureCountInterval: 1

pwdMinLength: 12

pwdCheckQuality: 1

pwdSafeModify: TRUE