>Hmm, I wonder if PAM and ldappasswd are not finding the policies as a >result of this? There is nothing interesting in the access log - I can >see the extop password operation line but it doesn't say anything about >the filter used to look for password policy objects? Is there perhaps a >way to include ldapSubEntry objects in normal searches? > > The server enforces the policy internally, and (at least in theory) all the code paths that modify passwords should be calling the same policy checking function. So ldappasswd, ldapmodify and the GUI should see exactly the same policy. If you turn up the logging level you might see more interesting output (in the errors log, not the access log, which is always quite terse).
