https://bugs.openldap.org/show_bug.cgi?id=9671
--- Comment #4 from Michael Ströder michael@stroeder.com --- (In reply to Ondřej Kuzník from comment #3)
On Tue, Sep 07, 2021 at 08:30:27PM +0000, openldap-its@openldap.org wrote: then we should revisit the Behera draft and check where it makes sense for attribute to be marked NO-USER-MODIFICATION.
My attempt to revive ietf-ldapext WG was not successful. So this is not an option.
I've already had to make changes to the local version where things were omitted: https://git.openldap.org/openldap/openldap/-/commit/ 2b007d01dbd924cf11f88c2f8dbba26b5ba8b593
Hmm, not sure whether that leads to more interoperability.
Sounds like adding manage permissions on the attribute (and maybe the "entry" attribute) could be a targeted way of allowing this operation?
I strongly dislike having to use the Relax Rules control to let the admin change pwdPolicySubentry. IMO this control must only be used in exceptional administrative use-cases. I have a very strong opinion on this.
In my local OpenLDAP 2.5.x builds I now simply remove NO-USER-MODIFICATION.
Ideally I'd prefer not having to deal with pwdPolicySubentry at all. But until ITS#9343 is implemented NO-USER-MODIFICATION should be removed.
Another solution would be to have a separate attribute fooPasswordPolicy (or whatever name you'd prefer) for overriding per entry the computed pwdPolicySubentry. It also allows to always compute the effective pwdPolicySubentry including applying defaults. This is the approach at least one other LDAP server implements.