I think have have an idea about this now ... the problem seems to be the exop password modify request. Subtree and user policies are ignored from ldappasswd (which uses exop) PAM (when pam_password is set to "exop" in /etc/ldap.conf) But are ok from Ldapmodify PAM (when pam_password is set to "clear" in /etc/ldap.conf) So, the RFC 3062 password modification requests seem to bypass the subtree and user policies. I see this behaviour in 1.0.2 and 1.0.4. Now, am I right in thinking that I can use "clear" as long as I'm using SSL to the LDAP server? What about setting local non-LDAP passwords with this set to "clear" isn't that dangerous? I can't use "ssha" for pam_password as then password changes don't seem to work at all, which is why I changed to "exop". PK
