openldap-2.3.30
Not sure if this it intended or not, but it seems to be impossible to delete
the userPassword attribute from an entry if the ppolicy overlay is loaded.
I found this out when I accidentally added a userPassword attribute to a
posixGroup entry and discovered I could no longer remove it:
$ ldapmodify -x -D cn=manager,dc=example,dc=com -w secret
dn: cn=ldapusers,ou=group,dc=example,dc=com
changetype: modify
delete: userpassword
modifying entry "cn=ldapusers,ou=group,dc=example,dc=com"
ldap_modify: Internal (implementation specific) error (80)
additional info: Internal Error
If I unload the ppolicy overlay, the operation succeeds.
I have a default policy set which only specified the password attribute:
$ ldapsearch -x -LLL -b "ou=Password Policies,dc=example,dc=com"
dn: ou=Password Policies,dc=example,dc=com
ou: Password Policies
objectClass: organizationalUnit
description: Container for OpenLDAP password policies
dn: cn=default,ou=Password Policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: namedObject
pwdAttribute: userPassword