- Says this should be supported via attribute SubtreeSpecification in the pwdPolicy subentry.
I think OpenLDAP does not support this attribute, it accepts it but does not do anything.
- Leaves room to make the requested behavior configurable in cn=config, or for that matter make it the default:
The draft mostly says ppolicy applies to "user entries". Browsing it quicly, I don't see it define what that means, nor consider the existence of non-user entries. A config attribute could define that.
I don't know if anyone will bother to implement this (patches welcome) but I don't see a formal problem with whether it could/should be done.