https://bugs.openldap.org/show_bug.cgi?id=9571
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Behera v8 already specifies these requirements e.g. in 4.2.6 [0], just that ppolicy never implemented them. Also an application can: - have its identity set to "manage"/"write" accordingly so it is/not considered "password administrator" in the eyes of the draft - write the relevant attributes (pwdReset, ...) in the same operation overriding the defaults
Requiring the application to use the relax control to change certain attributes is not reversible AFAIK, which is why this was not done in 2.4...
Should we need to change any of this, we need to have a wider look at what it is we are trying to accomplish and how we want to do it.
[0]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-08#s...