In OpenLDAP server I can see that ppolicy is working as expected:
Jun 16 18:12:13 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 112 seconds Jun 16 18:13:12 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 53 seconds Jun 16 18:13:44 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 21 seconds Jun 16 18:13:59 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 6 seconds Jun 16 18:14:11 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins Jun 16 18:14:19 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins Jun 16 18:19:43 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins
but I don't understand why in the client prompt I don't see these warning. The only warning I see is when the password has already expired (setting up the 'pam_password_prohibit_message' in ldap.conf client side):
You are required to change your LDAP password immediately. Please visit http://my_gui_to_change_password Old Password:
¿Why can I see this message and not the expire time or grace login warnings?