I'm really banging my head trying to get the ppolicy overlay to work properly. My only indication that I am partially on the right track is that if I set pwdSafeModify=TRUE in my default policy, then I get the following error from pam_ldap when changing my password. If I set it back to false, then I can change my password. LDAP password information update failed: Insufficient access Must supply old password to be changed as well as new one passwd: Authentication token manipulation error However, everything else in the policy is being ignored. any help would be greatly appreciated. Thanks! * I am assuming that the password policy is going to be enforced by ldap, so testing with pam_ldap is not necessary at this point. I should be able to use any client such as apache directory studio to test password policy. Version Info: CentOS 6.4 CentOS packaged openldap-servers-2.4.23 slapd.conf: # ( I am aware that I have * write. this is just for desperate testing on a test box ) include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/pwm.schema include /etc/openldap/schema/ppolicy.schema moduleload ppolicy.la moduleload syncprov.la # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args ####################################################################### # ACL ####################################################################### access to attrs=userPassword,pwmResponseSet,pwmToken by dn="uid=root,ou=People,dc=example,dc=net" write by dn="cn=svc_pam,ou=SVC_Accounts,dc=example,dc=net" write by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write by dn="cn=replica,dc=example,dc=net" read by anonymous auth by self write by * none access to * by self write by * write ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=example,dc=net" rootdn "cn=admin,dc=example,dc=net" rootpw {SMD5}********* overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=net" ppolicy_use_lockout overlay syncprov syncprov-checkpoint 100 10 directory /var/lib/ldap loglevel 65535 # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index contextCSN eq index sudoUser eq index entryCSN eq index entryUUID eq # default, policies, example.net dn: cn=default,ou=policies,dc=example,dc=net objectClass: top objectClass: person objectClass: pwdPolicy cn: default sn: default policy pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdLockout: TRUE pwdGraceAuthNLimit: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdLockoutDuration: 45 pwdMaxFailure: 2 pwdFailureCountInterval: 1 pwdMinLength: 12 pwdCheckQuality: 1 pwdSafeModify: TRUE