I am trying to implement a set of password policies that vary for different groups of users. Each group is conveniently contained in a subtree of the DIT, so it seems that this should work easily.

At the root of each subtree I have created a pwdPolicy subentry of the form:

dn: cn=ppolicy,ou=some-group,dc=example,dc=com objectclass: subentry objectclass: pwdPolicy cn: ppolicy pwdAttribute: userPassword pwdMinLength: 6 pwdCheckQuality: 2 subtreeSpecification: { }

OpenLDAP (version 2.3.39 in this case) recognises the subentry and gives it the special treatment specified for searches etc, but does not seem to be applying the policy it contains to users in the subtree. I have a default password policy stored elsewhere in the DIT and referenced in the ppolicy overlay config: this does take effect, but its name does not show up in the pwdPolicySubentry operational attribute of any user.

If I force the name of the policy into pwdPolicySubentry then it does take effect, but that is not the point: the subentry should set this attribute automatically.

The problem may be that the root of the subtree is not marked as an administration point: OpenLDAP 2.3.39 knows about the administrativeRole attribute but seems to have 'not implemented' hard-wired into the result code.

Are subentries expected to work, or am I mis-reading something here?

Thanks

Andrew