Michael,

Thank you for your reply.

I made several attempts to configure slapo-policy but I’m not able to get it to work.

I gathered online documentation and did the following on my openldap 2.4.39 RHEL7 server to enable slapo-ppolicy:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config” 
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: ppolicy.la

dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcPPolicyConfig
olcPPolicyDefault: ou=policies,dc=cluster,dc=sec312
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy1.ldif 
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "ou=policies,dc=*****,dc=*****"
ldap_add: Object class violation (65)
additional info: attribute 'ou' not allowed
Any advice will be greatly appreciated.

Thank you,
Liz

From: Michael Ströder <michael@stroeder.com>
Date: Friday, September 18, 2015 at 9:27 AM
To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Allow users to change ldap password with passwd

Real, Elizabeth (392K) wrote:
This is my setup:
I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent
users with expired accounts to login: ldap_pwd_policy = shadow. This works as
expected.

Use OpenLDAP's slapo-ppolicy instead!
Using shadow account attributes is deprecated since years.

pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd
pam_sss(passwd:chauthtok): Password change failed for user real: 28
(Module is unknown)
Gkr-pam: couldn’t update the login keyring password: no old password was
Entered

This sounds more like PAM and sssd related. So you should sort this out first
- maybe by asking for specific issues on sssd-users mailing list.

In an attempt to allow users to change their ldap password, i edited my ACL on
the ldap server and added 'shadowLastChange':
[..]
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by

Think twice! You should not do that because of security issues!

If you really insist on using shadow account attributes you have to use
slapo-smbk5pwd to let slapd set them internally when receiving a Password
Modify extended operation.

Ciao, Michael.