openldap - ldap password policy minimum length is not working -

i have working ldap server. next added password policy ldap server. password ldif looks this:

dn: cn=mypolicy,ou=policies,dc=xxx,dc=xxxx cn: mypolicy objectclass: pwdpolicy #objectclass: pwdpolicychecker objectclass: device objectclass: top pwdattribute: 2.5.4.35 #pwdattribute: userpassword pwdmaxage: 7862400 pwdexpirewarning: 6048000 pwdinhistory: 3 pwdcheckquality: 2 pwdminlength: 7 pwdmaxfailure: 3 pwdlockout: true pwdlockoutduration: 300 pwdgraceauthnlimit: 0 pwdfailurecountinterval: 0 pwdmustchange: true pwdallowuserchange: true pwdsafemodify: false pwdreset: false 

it added ldap server. lock out , lock out duration working. password minimum length not working.

   pam configuration server side configuration  pam.d/common-auth auth [success=1 default=ignore]  pam_ldap.so nullok_secure try_first_pass auth requisite pam_deny.so auth required  pam_permit.so  pam.d/common-account account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so account requisite    pam_deny.so account required     pam_permit.so  pam.d/common-password password [success=1 default=ignore]  pam_unix.so obscure sha512 minlen=8 password requisite  pam_deny.so password required  pam_permit.so   client side configuration  pam.d/common-auth auth [success=2 default=ignore]  pam_unix.so null_secure try_first_pass auth [success=1 default=ignore]  pam_ldap.so use_first_pass auth  requisite   pam_deny.so auth  required    pam_permit.so  pam.d/common-account account [success=2 new_authtok_reqd=done default=ignore]  pam_ldap.so  account [success=1 default=ignore]  pam_unix.so  account needs pam_deny.so account required pam_permit.so  pam.d/common-password password  [success=2 default=ignore] pam_unix.so obscure sha512 password  [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass password  requisite  pam_deny.so password  required   pam_permit.so  ldap.conf pam_lookup_policy yes 

can please let me know gone wrong.

pwdlockout: true pwdlockoutduration: 300 

these attributes used on failed bind attempts lock account

pwdminlength: 7 

this attribute checked when user (except manager dn) performs modify password operation on userpassword attribute. not lock created accounts not satisfy rule.

edit :

considering different comments, try modify line in file /etc/ldap.conf :

from :

pam_password crypt 

to :

pam_password exop 

it modify password using extended operation modifypassword , should trigger password policy.