I suggest to check the pam-ldap config. IIRC it should be using the exop method to change password.

On Dec 23, 2017 1:17 PM, "André Rodier" <andre@rodier.me> wrote:
Hello all,

I have an LDAP server, that I use for system authentication, emails,
etc, in a domain (homebox.space)

I have the password policies defined in the LDAP database, but they
don't seem to apply to the users when changing a password.

Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up, but
only the last is working, i.e. passwords sent in clear text by an LDAP
client are automatically encrypted.

There is an overlay entry for the domain, example:

olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space

and a correct entry "pwdPolicySubentry" for each user.

However, when I try change the password with pam_ldap or using the
roundcube password plugin, even the minimal length rule is ignored.

The module configuration:
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath: /usr/lib/ldap
> olcModuleLoad: {0}back_mdb
> olcModuleLoad: {1}ppolicy.la
> olcModuleLoad: {2}deref.la
> structuralObjectClass: olcModuleList
> entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011
> creatorsName: cn=admin,cn=config
> createTimestamp: 20171223143824Z
> entryCSN: 20171223143828.930245Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20171223143828Z

The overlay configuration
> dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
> objectClass: olcPPolicyConfig
> objectClass: olcOverlayConfig
> olcOverlay: {0}ppolicy
> olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: FALSE
> olcPPolicyForwardUpdates: FALSE
> structuralObjectClass: olcPPolicyConfig
> entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20171223143829Z
> entryCSN: 20171223143829.643274Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20171223143829Z

The policy:
> dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
> pwdExpireWarning: 259200
> pwdMaxFailure: 5
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdMinLength: 8
> pwdCheckQuality: 0
> pwdAttribute: userPassword
> pwdLockoutDuration: 0
> pwdInHistory: 0
> sn: default
> pwdMaxAge: 31536000
> pwdGraceAuthNLimit: 0
> pwdFailureCountInterval: 300
> structuralObjectClass: person
> entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac
> creatorsName: cn=admin,dc=homebox,dc=space
> createTimestamp: 20171223143830Z
> entryCSN: 20171223143830.545905Z#000000#000#000000
> modifiersName: cn=admin,dc=homebox,dc=space
> modifyTimestamp: 20171223143830Z

Example of one user:

> dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl
> pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
> shadowMin: 0
> uid: andre
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> loginShell: /bin/bash
> shadowFlag: 0
> uidNumber: 1001
> shadowMax: 999999
> gidNumber: 1001
> homeDirectory: /home/users/andre
> sn: Rodier
> shadowInactive: -1
> mail: andre@homebox.space
> givenName:: QW5kcsOp
> shadowWarning: 7
> structuralObjectClass: inetOrgPerson
> cn:: QW5kcsOpIFJvZGllcg==
> entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac
> creatorsName: cn=admin,dc=homebox,dc=space
> createTimestamp: 20171223143831Z
> userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM=
> pwdChangedTime: 20171223150211Z
> entryCSN: 20171223150211.599058Z#000000#000#000000
> modifiersName: cn=admin,dc=homebox,dc=space
> modifyTimestamp: 20171223150211Z
>


I have the whole source code here: https://github.com/progmaticltd/homebox/

The Ansible tasks I am using to configure the LDAP server are here:

https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/accounts/tasks/main.yml

Any help welcome.

Kind regards,
André Rodier.

PS: Merry Christmas / Happy new year / for those concerned.