I tried with and with the '-e ppolicy' option but that did not make a difference in terms of behavior. It did make a difference for the output message.
For: ldappasswd -x -w oldpassword -a oldpassword -s test -D "uid=aUser, ou=MyUsers, dc=xyz, dc=com" -e ppolicy
The output is:
Result: Constraint violation (19)
Additional info: Password fails quality checking policy
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQY=
ppolicy: error=6 (Password is too short for policy)
For: ldappasswd -x -w oldpassword -a oldpassword -s test -D "uid=aUser, ou=MyUsers, dc=xyz, dc=com"
The ouput is shorter:
Result: Constraint violation (19)
Additional info: Password fails quality checking policy
They both checked the password policy ('test' was too short).
I am still confused about what this 'extension' does. Is that just about giving more details in the error output?
This is in openLDAP 2.4.39 and documented in the man ldapsearch page. The option is used in the ppolicy test code (test022-ppolicy).
Thanks,
Thierry