I have a working LDAP server. Next added password policy to LDAP server. My password ldif looks like this:
dn: cn=MyPolicy,ou=Policies,dc=XXX,dc=XXXX
cn: MyPolicy
objectClass: pwdPolicy
#objectClass: pwdPolicyChecker
objectClass: device
objectClass: top
pwdAttribute: 2.5.4.35
#pwdAttribute: userPassword
pwdMaxAge: 7862400
pwdExpireWarning: 6048000
pwdInHistory: 3
pwdCheckQuality: 2
pwdMinLength: 7
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdReset: FALSE
it is successfully added to my LDAP server. But only Lock out and Lock out duration is working. Password minimum length is not working.
pam configuration
Server side configuration
pam.d/common-auth
auth [success=1 default=ignore] pam_ldap.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512 minlen=8
password requisite pam_deny.so
password required pam_permit.so
Client side configuration
pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so null_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account needs pam_deny.so
account required pam_permit.so
pam.d/common-password
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
password requisite pam_deny.so
password required pam_permit.so
ldap.conf
pam_lookup_policy yes
Can you please let me know where I am gone wrong.
If you're using OpenLDAP, the password policy overlay is completely bypassed by the ManagerDN. You should never use this yourself: it is only for the OpenLDAP server itself. You need to use another, less privileged but sufficiently priviledged, LDAP account for performing password modifications: preferably, the user's own account.