Effective policy is determined by new_passwdPolicy() which considers
the modification
initiated by the password change extop to be internal and local
policy
is not
retrieved.
I suspected as much - this should probably go in the password policy
section of the documentation as there are all sorts of recommendations
flying round the Web for setting pam_password to "exop" to allow
password changes to work properly. It does indeed work but as you say,
it bypasses all password policies (except global ones it seems).
PK