I think have have an idea about this now ... the problem seems to be the
exop password modify request. Subtree and user policies are ignored from
ldappasswd (which uses exop)
PAM (when pam_password is set to "exop" in /etc/ldap.conf)
But are ok from
Ldapmodify
PAM (when pam_password is set to "clear" in /etc/ldap.conf)
So, the RFC 3062 password modification requests seem to bypass the
subtree and user policies. I see this behaviour in 1.0.2 and 1.0.4.
Now, am I right in thinking that I can use "clear" as long as I'm using
SSL to the LDAP server? What about setting local non-LDAP passwords with
this set to "clear" isn't that dangerous? I can't use "ssha"
for
pam_password as then password changes don't seem to work at all, which
is why I changed to "exop".
PK