This is the passwordPolicy.ldif:

dn: ou=policies,dc=*****,dc=*****

objectClass: pwdPolicy

objectClass: person

objectClass: top

cn: policies

sn: policies

pwdAllowUserChange: TRUE

pwdAttribute: userPassword

pwdCheckQuality: 2

pwdExpireWarning: 3600

#pwdFailureCountInterval: 30

#pwdGraceAuthNLimit: 5

pwdInHistory: 10

pwdLockout: TRUE

pwdLockoutDuration: 0

pwdMaxAge: 7776000

pwdMaxFailure: 5

pwdMinAge: 0

pwdMinLength: 8

pwdMustChange: FALSE

pwdSafeModify: FALSE

Thank you,

Liz

From: Michael Ströder <michael@stroeder.com>
Date: Thursday, September 24, 2015 at 10:56 AM
To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Allow users to change ldap password with passwd

Real, Elizabeth (392K) wrote:

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "ou=policies,dc=*****,dc=*****"

ldap_add: Object class violation (65)

additional info: attribute 'ou' not allowed

How does passwordPolicy.ldif look like?

What's the set of object classes used?

Ciao, Michael.