invalid syntax (21) error while importing password password policy

[Philip Bubel <philip@bubel.com>]

Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble enabling password polices.  I've read a number of FAQ's online, plus spent hours searching for a solution to this problem, although a lot of folks seem to have the same issue I haven't been able to find a solution that works for us.  I run into trouble running ldapadd to import the new policy.  I end up with the invalid syntax error I've included below, along with a copy of the .ldif file and my slapd.conf file.  I was able to create the policies OU without issue, I also tried using the OID for pwdAttribute instead of userPassword.

[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f /tmp/ppolicy.ldif 

Enter LDAP Password: 

adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test"

ldap_add: Invalid syntax (21)

additional info: pwdAttribute: value #0 invalid per syntax

Contents of policy.ldif

n: cn=policy,ou=policies,dc=XXXX,dc=test

cn: default

objectClass: pwdPolicy

objectClass: person

objectClass: top

pwdAllowUserChange: TRUE

pwdAttribute: userPassword

pwdCheckQuality: 2

pwdExpireWarning: 600

pwdFailureCountInterval: 30

pwdGraceAuthNLimit: 5

pwdInHistory: 5

pwdLockout: TRUE

pwdLockoutDuration: 0

pwdMaxAge: 0

pwdMaxFailure: 5

pwdMinAge: 0

pwdMinLength: 5

pwdMustChange: FALSE

pwdSafeModify: FALSE

sn: dummy value

Contents of my slapd.conf

include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema

include         /etc/openldap/schema/samba.schema

include         /etc/openldap/schema/pmi.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

modulepath /usr/lib64/openldap

moduleload ppolicy.la

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

TLSCertificateFile /etc/pki/tls/certs/slapd.pem

TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

database config

access to *

       by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

        by dn.exact="cn=Manager,dc=XXXX,dc=test" read

        by * none

database        bdb

suffix          "dc=XXXXX,dc=test"

checkpoint      1024 15

rootdn          "cn=Manager,dc=XXXX,dc=test"

# Cleartext passwords, especially for the rootdn, should

# be avoided.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          hello (Temp password used for testing)

overlay ppolicy

policy_default "cn=default,ou=policies,dc=XXXX,dc=test"

policy_use_lockout

directory       /var/lib/ldap

# Indices to maintain for this database

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub