Trouble using openldap ppolicy in CentOS 6.3
 

I need to enforce password policies via ldap, but I am not having any luck.

I can see that when i try to change my password, i do see the following in the slapd log. What am i missing?

I'm not sure that it is actually seeing my policy which is populated in
cn=default,ou=policies,dc=example,dc=net


Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=2 BIND dn="" method=128
Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=2 RESULT tag=97 err=0 text=
Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=3 SRCH base="" scope=0 deref=0 filter="(?objectClass=passwordPolicy)"


here are the relevant changes that I put in place to make it happen.

slapd.conf:
## Up top
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la

# ACL
access to attrs=userPassword,pwmResponseSet
by dn="uid=root,ou=People,dc=example,dc=net" write
by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write
by dn="cn=replica,dc=example,dc=net" read
by anonymous auth
by self =xw
by * none

access to *
by self write ## remove this.
by * read


## after my database bdb section
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=net"
ppolicy_use_lockout


I've also added "pam_lookup_policy yes" to the following
/etc/ldap.conf
/etc/openldap/ldap.conf
/etc/pam_ldap.conf


and the ldif that i used to add the policy
dn: ou=policies,dc=example,dc=net
ou: policies
objectClass: top
objectClass: organizationalUnit

# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=net
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE