Otoh, making it user modifiable was a mistake and broke the rfc specification, which says it's a NO-USER-MODIFIABLE attribute.

Le samedi 19 décembre 2015, <ludovic.poitou@gmail.com> a écrit :
In my opinion, the pwdPolicySubentry attribute should be read-only generated by the server.  

We had made the error in Sun Directory Server to allow customers to set it manually, and it was very confusing that the attribute served 2 roles : a way to find the pwd policy entry applicable for the entry, and a way to set a different or new policy for an account. 

In OpenDJ ( and all other servers from the same code base) we use 2 different attributes. That separation made it easier to handle for applications and administrators. 

My 2 cents

Ludo



--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com