After nearly two weeks of going nuts trying to setup a password policy, I finally found part of the documentation that I was missing. Apparently "ppolicy" does not actualy enforce the policy you create. If I'm understanding the documentation correctly, it really only provides more of a transport to something else which can do it.
In particular the attribute pwdCheckModule, needs to point to a module which can enforce the policy. However no module seems to be provided.
What modules are other people using? I stumbled around and found password_check.so, which I am trying to setup now with partial success.
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
Anyone else have something better? One thing I need to do which I don't think this will help with, is storing the last x passwords.
Thanks, Dan