I've been working on this for about a week, and can't seem to figure out why this is happening.
I've got passwd working, letting users change their own ldap password from a client machine, and it working with the ppolicy overlay:
$ passwd
Current Password:
New password:
BAD PASSWORD: The password is shorter than 8 characters
New password:
BAD PASSWORD: The password is a palindrome
New password:
BAD PASSWORD: The password is the same as the old one
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
However, when I use ldappasswd to change my password, it allows me to create one letter passwords, and palindromes, but not passwords in my history:
$ ldappasswd -H ldap://**** -x -D "uid=test,ou=Users,dc=***,dc=***,dc=***" -W -A -S
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:
$
# no issues entering "a" as the password (this is bad)
$ ldappasswd -H ldap://**** -x -D "uid=test,ou=Users,dc=***,dc=***,dc=***" -W -A -S
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password is in history of old passwords
$
# entered "password" as the password and it doesn't let me change it
Ideally, I'd like both passwd and ldappasswd to follow the password policy.
Here are my access rules in the slapd config:
/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
...
# manager is the root bind dn, with password in /etc/ldap.secret
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn.base="uid=manager,ou=Users,dc=***,dc=***,dc=***" write by anonymous auth by * none
olcAccess: {1}to * by * read by dn.base="uid=manager,ou=Users,dc=***,dc=***,dc=***" write
...
It seems to me like passwd is binding to the root dn, because removing the access for the manager account makes passwd stop working entirely, and ldappasswd is unaffected.
Any help is appreciated.
