pwdPolicySubentry is an operational attribute. It will not be returned in search results unless you explicitly request it or use + in your requested attribute list. If you change the add to a replace in your ldif file your modify operation should succeed. <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.aep.com_&d=Dw... *JON C KIDDER* | *MIDDLEWARE ADMINISTRATOR LEAD* JCKIDDER(a)AEP.COM | D:614.716.4970 <(614)%20716-4970> 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215 <https://maps.google.com/?q=1+RIVERSIDE+PLAZA,+COLUMBUS,+OH+43215&entr... *From:* openldap-technical [mailto:openldap-technical-bounces@openldap.org] *On Behalf Of *Douglas Duckworth *Sent:* Wednesday, October 25, 2017 9:24 AM *To:* Openldap Technical *Subject:* [EXTERNAL] pwdPolicySubentry: value #0 already exists This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. If suspicious please forward to incidents(a)aep.com for review. ------------------------------ Hi I am trying to make sure my bind Service Account's password does not expire. I set this in ou=Policies with the intention that the policy would only be applied to this user: # Policies, domain dn: ou=Policies,domain ou: Policies objectClass: organizationalUnit # CustomBindAccountPolicy, Policies, domain dn: cn=CustomBindAccountPolicy,ou=Policies,domain objectClass: person objectClass: top cn: passwordDefault cn: CustomBindAccountPolicy sn: passwordDefault pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdLockout: FALSE However, I do not see this dn referenced on the user: # importantuser, Service Accounts, domain dn: uid=importantuser,ou=Service Accounts,domain objectClass: top objectClass: account objectClass: posixAccount objectClass: extensibleObject uid: binduser cn: bind sn: user givenName: binduser title: Account loginShell: /dev/null uidNumber: 123 gidNumber: 456 homeDirectory: /dev/null description: Service Account userPassword:: password123 When I try to add using ldapadd and this ldif: dn: uid=importantuser,ou=Service Accounts,domain changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=CustomBindAccountPolicy,ou= Policies,dc=davinci,dc=med,dc=cornell,dc=edu I get this error: me@nsa[~/ldap]$ ladd server.ldif Enter LDAP Password: modifying entry "uid=importantuser,ou=Service Accounts,domain" ldap_modify: Type or value exists (20) additional info: modify/add: pwdPolicySubentry: value #0 already exists Do you have any idea what could be happening? My ACL's allow the binduser to see everything so I don't understand what's happening. Thank you very much! Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 <(212)%20746-6305> F: 212-746-8690 <(212)%20746-8690>