Thanks, Clement for testing.  I agree. Looks like it can only be done by rootdn.

On Wed, Apr 15, 2020 at 9:40 AM Clément OUDOT <clement.oudot@worteks.com> wrote:


Le 13/04/2020 à 19:34, Hannah Chenh a écrit :
Hello,
I have a question related to rootdn and password policy.

I understand that the rootdn can bypass all restrictions.
We have a requirement to bypass a password policy for the admin user.  
Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application?
Currently I have granted the following to the admin_user:
 ===






dn: olcDatabase={2}hdb,cn=config


changetype: modify


add: olcAccess


olcAccess: {0}to attrs=userPassword


      by self write


      by anonymous auth


      by dn.base="cn=Manager,dc=abcdomain,dc=com" write
      by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write


      by * none


olcAccess: {1}to *


      by self write


      by dn.base="cn=Manager,dc=abcdomain,dc=com" write
      by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write


      by * read

===
Any help would be appreciated.


I have done some tests today, I did not find a solution.

I tried to give the "manage" right to a service account, and then use the relax or ManageDSAIT controls to force the change of a password which is too short, it is always rejected. The modification is only accepted if it is done by rootdn.

-- 
Clément Oudot | Identity Solutions Manager

clement.oudot@worteks.com

Worteks | https://www.worteks.com