Thanks, Clement for testing.  I agree. Looks like it can only be done by rootdn.

On Wed, Apr 15, 2020 at 9:40 AM Clément OUDOT <clement.oudot@worteks.com> wrote:


Le 13/04/2020 à 19:34, Hannah Chenh a écrit :
Hello,
I have a question related to rootdn and password policy.
I understand that the rootdn can bypass all restrictions.
We have a requirement to bypass a password policy for the admin user.  
Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application?
Currently I have granted the following to the admin_user:
 ===
dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword       by self write       by anonymous auth       by dn.base="cn=Manager,dc=abcdomain,dc=com" write       by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write       by * none olcAccess: {1}to *       by self write       by dn.base="cn=Manager,dc=abcdomain,dc=com" write       by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write       by * read
===
Any help would be appreciated.


I have done some tests today, I did not find a solution.

I tried to give the "manage" right to a service account, and then use the relax or ManageDSAIT controls to force the change of a password which is too short, it is always rejected. The modification is only accepted if it is done by rootdn.

-- 
Clément Oudot | Identity Solutions Manager

clement.oudot@worteks.com

Worteks | https://www.worteks.com