Many thanks for the reply, helpful as always! > I'm not sure what PAM is doing here. You can always verify that you are being properly > restricted on password syntax by using ldapmodify or ldappasswd from the command line. It seems not - ldappasswd doesn't enforce the policy whether I bind with the user in question or Directory Manager. I've tried with subtree policies and also user-only policies. If I try to change the password in the GUI, the password policy works ok. > This entry has objectclass ldapSubEntry, which means it is hidden from normal searches. Hmm, I wonder if PAM and ldappasswd are not finding the policies as a result of this? There is nothing interesting in the access log - I can see the extop password operation line but it doesn't say anything about the filter used to look for password policy objects? Is there perhaps a way to include ldapSubEntry objects in normal searches? PK
