Hi,

Ok, I'll just read again that FAQ. Check this complete log of ppolicy with/without smbk5pwd overlay. Or maybe just another pam_ldap bug

1. change passwd before entering new password
# passwd techsupport
Enter login(LDAP) password:

smbk5pwd+ppolicy log: http://pastebin.com/m7dce205a
ppolicy log: http://pastebin.com/m18f72eb6

2. enter new password
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
Operations are restricted to bind/unbind/abandon/StartTLS/modify password
passwd: Permission denied
passwd: password unchanged

smbk5pwd+ppolicy log: http://pastebin.com/m4f98884e
ppolicy log: http://pastebin.com/m2fe93f63

If you look into step 1 anomymous is applied as well, without smbk5pwd and pwdReset update is successful. In step 2 there you can see the difference, if its acl problem can someone suggest a working acl(minimal) with smbk5pwd+ppolicy+pwdReset...

thanks
grexk
--- On Mon, 7/28/08, Dieter Kluenter <dieter@dkluenter.de> wrote:
From: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: ppolicy pwdReset
To: openldap-software@openldap.org
Date: Monday, July 28, 2008, 3:06 PM

greek ordono <grexk@yahoo.com> writes:

> Hello,

>

> I've changed my acl like this:

> access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange

> by dn="cn=nssldap,ou=DSA,dc=moldex,dc=group" write

> by anonymous auth

> by self write

>

> access to *

> by self write

> by * read

>


> <= acl_mask: [3] applying auth(=xd) (stop)

> <= acl_mask: [3] mask: auth(=xd)

> => slap_access_allowed: read access denied by auth(=xd)

> => access_allowed: no more rules


The answer is obvious, your rule "by anonymous auth" is applied.
You should prabably read
http://www.openldap.org/faq/data/cache/189.html
in order to design access rules

-Dieter

--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6