This is the passwordPolicy.ldif:

dn: ou=policies,dc=*****,dc=*****
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: policies 
sn: policies
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
#pwdFailureCountInterval: 30
#pwdGraceAuthNLimit: 5
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE


Thank you,
Liz


From: Michael Ströder <michael@stroeder.com>
Date: Thursday, September 24, 2015 at 10:56 AM
To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Allow users to change ldap password with passwd

Real, Elizabeth (392K) wrote:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "ou=policies,dc=*****,dc=*****"
ldap_add: Object class violation (65)
additional info: attribute 'ou' not allowed

How does passwordPolicy.ldif look like?
What's the set of object classes used?

Ciao, Michael.