In ES3 bundled openldap - password policy controls are limited to shadow attributes. You don't mention them, but I assume you are using shadow attributes to control when passwords expire. This is a somewhat outdated way of managing password policy. While it's been far from painless we have ppolicy implemented and mostly working in our shop. Overall it's worth the investment as it opens up much more functionality.
Upgrades aside, what you're trying to do should work. There's a few things you can check. First - be aware of what the shadow attributes are set to. This is relevant in troubleshooting. You should look at the shadowLastChange field to see if that is getting updated when a user runs passwd from a client. If this isn't happening try checking whether you have "pam_passwd exop" enabled in your client's /etc/ ldap.conf. I might be wrong here, but I think this might be needed in order to get shadowLastChange updating.
--AP
On Jun 21, 2008, at 4:47 AM, Kevin Brammer wrote:
Running the OpenLDAP server bundled with RH ES3. I had OpenLDAP running successfully. I could authenticate, pull information from the directory - everything seemed great! After the 90 day password rule I had put in place, I got the "your password has expired" message. I tried to change it, said it was successful. A subsequent login received the same message. Again I changed it, and it said successful. Now, I can't even login.
I changed my user's password as root using ldappasswd, and a check of the entry shows the hash changing accordingly. However, I still can't login as the user.
Any ideas?