Background to the issue
The OpenLDAP overlay ppolicy provides password policy controls which allow configuring things like minimum password length, password aging, max fail account lockout and password history.
ppolicy also has an attribute pwdCheckModule which can be used to load third party modules which provide a way to enforce password quality, number of uppercase, lowercase, digits and special characters.
According to the slapo-ppolicy man page:
pwdCheckModule is a non-standard extension to the LDAP password policy proposal
Description of the issue
When you look for ppolicy third party pwdCheckModules, the choice is quite limited and they are not maintained. pqchecker for example isn't maintained and doesn't work when installed using the .deb package The error on Ubuntu 22.04 is something about a missing file which I briefly attempted to troubleshoot via strace but also causes a bit of noise in the logs, it's not clear why. I'm not going to show the logs because I don't think using pqchecker or others like BOFH and ppolicy-check-password are a viable solution especially considering the date they were last updated.
The current workaround/solution
We've deployed an OpenLDAP server for authentication to commercial applications and to Linux. I'm using nslcd and libpam-cracklib on the Linux client side to enforce password quality controls and it's working well. Users are forced to change their password on first login to Linux thanks to the shadownLastChange attribute on the user account in LDAP, password length etc is enforced by ppolicy and password quality by libpam-cracklib.
The issue with the current workaround/solution
nslcd doesn't allow you to configure a bind DN for changing the user passwords. There's a bind DN for searching the DIT, an optional bind DN for when root issues the passwd command on a user account, but when a user issues the passwd command, nslcd binds as the user to set the password. This means the user accounts have to have permission to set their own passwords which also means nothing is stopping them from using the ldappasswd command to set their password directly thereby getting around the libpam-cracklib password quality controls. It's not a huge issue because people in our organization are responsible and security conscious but I think we'd fail a security audit.
The question
What is the correct approach for implementing password quality control in OpenLDAP 2.5? I've looked at whether sssd provides a way to avoid the user binding to LDAP to set their password but it doesn't either.