--On Friday, June 24, 2022 7:20 PM +0200 Uwe Sauter <[email protected]> wrote:
As far as I understand, everybody with write access to the userPassword attribute can set this to any value. In order to involve the ppolicy module you need to use extended ldapmodify functionality (ldappasswd, ldapmodify -E ppolicy or a properly configured passwd/PAM stack).
It is possible to configure ppolicy to intercept MOD ops of userPassword to fix that issue. I don't think you can intercept ADD operations in this regard, however. Generally one has to create the entry and then set the userPassword afterwards with the extended op.
--Quanah
