Enforcing ppolicy to openldap users

Question

I am working with OpenLDAP and client browser as Apache directory Studio. I did whatever required for enforcing ppolicies to the openLDAP users still I think its missing something and someware. This is my ppolicy.ldif

       dn: dc=maxcrc,dc=com
       objectClass: top
       objectClass: domain
       dc: maxcrc

        dn: ou=People,dc=maxcrc,dc=com
       objectClass: organizationalUnit
       objectClass: top
       ou: People
       description: Container for user entries



      dn: ou=policies,dc=maxcrc,dc=com
      objectClass: top
      objectClass: organizationalUnit
      ou: policies

      dn: cn=default,ou=policies,dc=maxcrc,dc=com
      objectClass: pwdPolicy
      objectClass: top
      objectClass: device
      cn: default
      pwdAttribute: userPassword
      pwdAllowUserChange: TRUE
      pwdCheckQuality: 1
      pwdExpireWarning: 86400
      pwdInHistory: 6
      pwdLockout: TRUE
      pwdLockoutDuration: 1920
      pwdMaxAge: 172800
      pwdMaxFailure: 4
      pwdMinLength: 6
      pwdSafeModify: FALSE

      dn: uid=jery,dc=maxcrc,dc=com
      objectClass: pwdPolicy
      objectClass: posixAccount
      objectClass: top
      objectClass: account
      cn: maxcrc jery
      gidNumber: 1011
      homeDirectory: /home/jery
        pwdAttribute: userPassword
      uid: jery
    uidNumber: 1011
    pwdPolicySubentry:cn=strong,ou=policies,dc=maxcrc,dc=com      



      dn: cn=strong,ou=policies,dc=maxcrc,dc=com
     objectClass: device
     objectClass: top
      objectClass: pwdPolicy
      cn: strong
      pwdAttribute: userPassword
      pwdMaxAge: 1296000
     pwdMinLength: 4

still it allows to add userPassword from apache directory studio with more than 4 character.can anyone tell me why is it so? Thanks in advance .

below is my sldap.config file

    # BDB Backend configuration file
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
     ucdata-path    ./ucdata
     include        ./schema/core.schema
      include       ./schema/cosine.schema
     include        ./schema/nis.schema
      include       ./schema/inetorgperson.schema
       include      ./schema/openldap.schema
          include       ./schema/dyngroup.schema
          include       ./schema/ppolicy.schema

            moduleload      ppolicy.la
            moduleload      syncprov.la
            moduleload back_bdb.la
            moduleload back_ldap.la
             pidfile        ./run/slapd.pid
                argsfile    ./run/slapd.args
                   # Enable TLS if port is defined for ldaps


             TLSVerifyClient never
               TLSCipherSuite HIGH:MEDIUM:-SSLv2
            TLSCertificateFile ./secure/certs/server.pem
            TLSCertificateKeyFile ./secure/certs/server.pem
            TLSCACertificateFile ./secure/certs/server.pem

               #######################################################################
           # bdb database definitions
           #######################################################################
             database   monitor

            database    bdb
            suffix      "dc=maxcrc,dc=com"

             # invokes password policies for this DIT only
             overlay    ppolicy

             # Default ppolicy
                ppolicy_default "cn=strong,ou=policies,dc=maxcrc,dc=com"

            # Some ppolicy directives

             ppolicy_use_lockout
                ppolicy_hash_cleartext


           # ACL1


       #access to attrs=userPassword
       #      by self       write
       #    by anonymous  auth
        #   by group.exact="cn=Manager,dc=maxcrc,dc=com"
        #                 write
       #   by *          none
       # ACL3
  #access to *
     #    by self       write
       #   by group.exact="cn=Manager,dc=maxcrc,dc=com"
         #                write
       #   by users      read
     #   by *          none





          rootdn        "cn=Manager,dc=maxcrc,dc=com"
        # Cleartext passwords, especially for the rootdn, should
         # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
          # Use of strong authentication encouraged.
            rootpw    secret



     # The database directory MUST exist prior to running slapd AND
       # should only be accessible by the slapd and slap tools.
       # Mode 700 recommended.
           directory ./data
          dirtyread
           searchstack 20
       # Indices to maintain
           index mail pres,eq
          index objectclass pres
       index default eq,sub
      index sn eq,sub,subinitial
       index telephonenumber
      index cn

Answer 1

The password policy overlay requires you not to carry out the operation as the rootDN. You should use an admin login defined in the DIT that has the appropriate permissions.