I'm really banging my head trying to get the ppolicy overlay to work properly.

My only indication that I am partially on the right track is that if I set pwdSafeModify=TRUE in my default policy, then I get the following error from pam_ldap when changing my password.  If I set it back to false, then I can change my password.

LDAP password information update failed: Insufficient access
Must supply old password to be changed as well as new one
passwd: Authentication token manipulation error


However,  everything else in the policy is being ignored.  any help would be greatly appreciated.

Thanks!

* I am assuming that the password policy is going to be enforced by ldap, so testing with pam_ldap is not necessary at this point.  I should be able to use any client such as apache directory studio to test password policy.


Version Info:
CentOS 6.4
CentOS packaged openldap-servers-2.4.23

slapd.conf:   # ( I am aware that I have * write.  this is just for desperate testing on a test box )
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/sudo.schema
include         /etc/openldap/schema/pwm.schema
include         /etc/openldap/schema/ppolicy.schema
moduleload      ppolicy.la
moduleload      syncprov.la

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
#######################################################################
# ACL
#######################################################################
access to attrs=userPassword,pwmResponseSet,pwmToken
        by dn="uid=root,ou=People,dc=example,dc=net" write
        by dn="cn=svc_pam,ou=SVC_Accounts,dc=example,dc=net" write
        by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write
        by dn="cn=replica,dc=example,dc=net" read
        by anonymous auth
        by self write
        by * none

access to *
        by self write
        by * write

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=example,dc=net"
rootdn          "cn=admin,dc=example,dc=net"
rootpw          {SMD5}*********
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=net"
ppolicy_use_lockout
                                                                                                                                              
overlay         syncprov
syncprov-checkpoint 100 10
directory       /var/lib/ldap
loglevel 65535

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index contextCSN                        eq
index sudoUser                          eq
index entryCSN                          eq
index entryUUID                         eq


# default, policies, example.net
dn: cn=default,ou=policies,dc=example,dc=net
objectClass: top
objectClass: person
objectClass: pwdPolicy
cn: default
sn: default policy
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdLockout: TRUE
pwdGraceAuthNLimit: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdLockoutDuration: 45
pwdMaxFailure: 2
pwdFailureCountInterval: 1
pwdMinLength: 12
pwdCheckQuality: 1
pwdSafeModify: TRUE