Thanks for the explanation that really helped, I didn't know about the '+'  and was able to see some ppolicy operational attributes on my uid.  I read the slapo-ppolicy manual page and that also helped clarified a few things.  You stated user's being able to change their own password depended on access rights.  These are the access rights I have in my database.  Are these correct to allow user's to change their password:

===================================================
root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}hdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#

# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=harmonywave,dc=com" write
 by * read

# {0}ppolicy, {1}hdb, config
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
===================================================

I've been fiddling with my setup to see if I can't get it to work.  I read that you need to tell PAM on the client server to do a lookup for password policies using 'pam_lookup_policy yes' in the /etc/pam_ldap.conf file.  I was using libpam-ldapd instead of libpam-ldap which doesn't use the pam_ldap.conf file for its configuration (I shares its config file with libnss-ldapd which is the /etc/nslcd.conf file).  I uninstalled libpam-ldapd and installed libpam-ldap instead, adjusted the config file, and I appears to be getting a little further.  Now when I try to change my password on a client server I get the following:

===================================================
jschaeffer@defiler:~$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
Must supply old password to be changed as well as new one
passwd: Permission denied
passwd: password unchanged

===================================================


I'm not sure why it wouldn't recognized that I did enter my previous password before I attempted to change it.


-Joshua

On 01/20/2014 12:53 AM, Dieter Klünter wrote:
Am Sun, 19 Jan 2014 14:18:56 -0700
schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:

I'm trying implement the password policy overlay into my openldap
setup, I'm running a Debian 7 server and installed openldap with the
package manager.

===================================================
root@baneling:~# dpkg -l | grep slapd
ii  slapd                            2.4.31-1+nmu2 amd64
OpenLDAP server (slapd)
===================================================

I currently have my ldap server setup for authentication and 
authorization, I'm using libnss-ldapd and libpam-ldapd on my other 
machines to search the ldap directory and would like to implement the 
password policy provided by the overlay.  I believe I've added the 
schema, loaded thedynamic module, and added the overlay to my 
databasecorrectly, however I'm not sure it's actually working. I've
been mostly followingthis article and the openldap documentation:

http://www.zytrax.com/books/ldap/ch6/ppolicy.html
http://www.openldap.org/doc/admin24/overlays.html#Password Policies 
<http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies>

Here is my slapd.d config (shortened for brevity):
===================================================
root@baneling:~# slapcat -b cn=config
[...]
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
structuralObjectClass: olcModuleList
entryUUID: ad917d22-1583-1033-9e53-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119183138Z
olcModuleLoad: {0}ppolicy.so
olcModulePath: /usr/lib/ldap
entryCSN: 20140119183433.154615Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119183433Z
[...]
dn: cn={4}ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}ppolicy
[...]
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119194003Z
entryCSN: 20140119194003.774030Z#000000#00'+' .  I read0#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119194003Z
===================================================

And my container for the default policy:
===================================================
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 
ou=Policies,dc=harmonywave,dc=com
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: ou=Policies,dc=harmonywave,dc=com
ou: Policies
objectClass: top
objectClass: organizationalUnit

dn: cn=default,ou=Policies,dc=harmonywave,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdFailureCountInterval: 1800
pwdGraceAuthNLimit: 10
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 7776000
pwdMaxFailure: 6
pwdMinAge: 86400
pwdMinLength: 10
pwdMustChange: FALSE
pwdSafeModify: TRUE
sn: passwdpolicy
===================================================

However, I'm not sure the policy is actually being applied. I thought
it might be because I originally created my user before adding the
schema and overlay, so I deleted the user and recreated it.  I'm able
to log into a server using my uid, however if I try to change my
password I get the following:

===================================================
jschaeffer@defiler:~$ passwd
(current) LDAP Password:
New password:
Retype new password:
password change failed: Constraint violation
passwd: Authentication token manipulation error
passwd: password unchanged
===================================================

I've been entering mycurrent password correctly when it asks and I am 
using a complex new password.  I also don't see any of the ppolicy 
attributes on my user (pwdChangeTime, pwdFailureTime,
pwdGraceUseTime, etc):

===================================================
root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com
-W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
Enter LDAP Password:
dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
uid: jschaeffer
cn: Joshua Schaeffer
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/jschaeffer
loginShell: /bin/bash
gecos: Joshua Schaeffer
userPassword:: ....
===================================================

I've been searching around for on the web for answers to the passwd 
issue, but I've not been able to find anything useful. Does anyone
know how to verify that the ppolicy overlay is actually working?
rootdn must change user passwords, but this depends on access rules.
ppolicy attributes are operational, thus apply a '+' to the search
string, according to RFC-3673. You may obtain further information on
ppolicy by reading slapo-ppolicy(5).

-Dieter