pam_passwdqc ldap problems

[Adams, Chris M, CTR,, DMDCWEST]

I'm having problems with my pam configuration on Solaris 8 using ldap.

Here's the relevant parts:

#
# Password management
#
other   password requisite              pam_passwdqc.so
min=disabled,disabled,di
sabled,disabled,8 max=8 passphrase=0 match=0 similar=deny random=0
enforce=every
one retry=1 ask_oldauthtok=update check_oldauthtok
other   password required               pam_dhkeys.so.1
#other  password requisite              pam_authtok_get.so.1
#other  password requisite              pam_authtok_check.so.1
other   password required               pam_authtok_store.so.1
...
#passwd auth required           pam_passwd_auth.so.1

adamscm at katana:~$ passwd
passwd: Changing password for adamscm
Password:
Enter current password:

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use an 8 character long
password with characters from all of these classes.  An upper
case letter that begins the password and a digit that ends it do
not count towards the number of character classes used.

Enter new password:
Re-type new password:
passwd: password successfully changed for adamscm


If I take out ask_oldauthtok=update check_oldauthtok, it doesn't prompt for
the password twice, but then I get:

adamscm at katana:~$ passwd
passwd: Changing password for adamscm
Password:

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use an 8 character long
password with characters from all of these classes.  An upper
case letter that begins the password and a digit that ends it do
not count towards the number of character classes used.

Enter new password:
Re-type new password:
Permission denied


Can anyone point me in the right direction on this?

thanks,
chris'