Question about a proposed workaround:

Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry attribute for each user to provide the desired 1.3.6.1.4.1.42.2.27.9.5.8 control response (see http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control), i.e., can pwdPolicySubentry be used supply the sub-entry and related operational attributes needed to validate users for password-less logins?