openldap-2.3.30

Not sure if this it intended or not, but it seems to be impossible to delete the userPassword attribute from an entry if the ppolicy overlay is loaded.

I found this out when I accidentally added a userPassword attribute to a posixGroup entry and discovered I could no longer remove it:

$ ldapmodify -x -D cn=manager,dc=example,dc=com -w secret dn: cn=ldapusers,ou=group,dc=example,dc=com changetype: modify delete: userpassword

modifying entry "cn=ldapusers,ou=group,dc=example,dc=com" ldap_modify: Internal (implementation specific) error (80) additional info: Internal Error

If I unload the ppolicy overlay, the operation succeeds.

I have a default policy set which only specified the password attribute: $ ldapsearch -x -LLL -b "ou=Password Policies,dc=example,dc=com" dn: ou=Password Policies,dc=example,dc=com ou: Password Policies objectClass: organizationalUnit description: Container for OpenLDAP password policies

dn: cn=default,ou=Password Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: namedObject pwdAttribute: userPassword