Hey;
Apparently, in my efforts to be brief, I didn't adequately outline the scenario. Users need to be able to change their own passwords once their account is configured in ldap and assigned an initial password. That's where pam comes in. Obviously, if I (or the user) change a user's account via ldap commands, pam restrictions.
I just verified that a test user can change his password to anything he wants via ldappasswd (bad... but have to have access to the command).
I also verified that the pam configuration affects password selection when the user is trying to change the password via the passwd command. (got that working both locally and via ldap).
So, I got the answer to my question and raised a bunch more potential issues that I'll have to ponder.
Thanks for the reply.
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html