ldap password policy minimum length is not working

Question

I have a working LDAP server. Next added password policy to LDAP server. My password ldif looks like this:

dn: cn=MyPolicy,ou=Policies,dc=XXX,dc=XXXX
cn: MyPolicy
objectClass: pwdPolicy
#objectClass: pwdPolicyChecker
objectClass: device
objectClass: top
pwdAttribute: 2.5.4.35
#pwdAttribute: userPassword
pwdMaxAge: 7862400
pwdExpireWarning: 6048000
pwdInHistory: 3
pwdCheckQuality: 2
pwdMinLength: 7
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdReset: FALSE

it is successfully added to my LDAP server. But only Lock out and Lock out duration is working. Password minimum length is not working.

   pam configuration
Server side configuration

pam.d/common-auth
auth [success=1 default=ignore]  pam_ldap.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required  pam_permit.so

pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
account requisite    pam_deny.so
account required     pam_permit.so

pam.d/common-password
password [success=1 default=ignore]  pam_unix.so obscure sha512 minlen=8
password requisite  pam_deny.so
password required  pam_permit.so


Client side configuration

pam.d/common-auth
auth [success=2 default=ignore]  pam_unix.so null_secure try_first_pass
auth [success=1 default=ignore]  pam_ldap.so use_first_pass
auth  requisite   pam_deny.so
auth  required    pam_permit.so

pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore]  pam_ldap.so 
account [success=1 default=ignore]  pam_unix.so 
account needs pam_deny.so
account required pam_permit.so

pam.d/common-password
password  [success=2 default=ignore] pam_unix.so obscure sha512
password  [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
password  requisite  pam_deny.so
password  required   pam_permit.so

ldap.conf
pam_lookup_policy yes

Can you please let me know where I am gone wrong.

Answer 1

If you're using OpenLDAP, the password policy overlay is completely bypassed by the ManagerDN. You should never use this yourself: it is only for the OpenLDAP server itself. You need to use another, less privileged but sufficiently priviledged, LDAP account for performing password modifications: preferably, the user's own account.

Answer 2

pwdLockout: TRUE
pwdLockoutDuration: 300

These attributes are used on failed bind attempts to lock an account

pwdMinLength: 7

This attribute is only checked when a user (except manager DN) performs a modify password operation on his userPassword attribute. It will not lock already created accounts which do not satisfy this rule.

EDIT :

Considering your different comments, try to modify the line in your file /etc/ldap.conf :

From :

pam_password crypt

To :

pam_password exop

It will modify the password using the extended operation modifypassword and so should trigger the password policy.