Excellent, that's exactly what I needed to know, thank you!

I've removed the pwdPolicy entries from my system accounts and assigned them the cn=NoPasswordPolicy pwdPolicySubentry instead, thanks again!


-Michael Proto


On Wed, Jun 19, 2013 at 5:43 PM, Michael Ströder <michael@stroeder.com> wrote:
Michael Proto wrote:
> I'm currently seeing an issue with slapo-ppolicy and individual account
> overrides not being respected.
> [..]
> What I've done in the interim is create a new ppolicy container with no
> expiration and assigned my system account's pwdPolicySubentry attribute to
> that:
>
> # NoPasswordPolicy, Policies, domain
> dn: cn=NoPasswordPolicy,ou=Policies,dc=domain
> [..]

That's exactly how you should implement what you want to achieve:
Use pwdPolicySubentry instead of attaching pwdPolicy attrs to the entry itself.

Ciao, Michael.