On RHDS 12.6 The user password policy for user testuser was created, but the pwdpolicysubentry attribute for this user incorrectly points to the People OU password policy instead of the specific user policy. 

Reproducer steps :

1. Create a user Policy for user testuser

1. dsconf -D "cn=Directory Manager" ldap://rhds.example.com localpwp adduser --pwdhistory 2 --pwdexpire 100000 --pwdmincatagories 3 --pwdwarning 3000 uid=testuser,ou=People,dc=example,dc=com Enter password for cn=Directory Manager on ldap://rhds.example.com: Successfully created user password policy

1. Query attribute pwdpolicysubentry for user testuser, in the case the value of attribute pwdpolicysubentry should be the attribute value inherited from the People OU.

1. ldapsearch -H ldap://rhds.example.com:389 -D 'cn=Directory Manager' -W -b ou=People,dc=example,dc=com uid=testuser001 pwdpolicysubentry Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=People,dc=example,dc=com> with scope subtree # filter: uid=testuser001 # requesting: pwdpolicysubentry # # testuser001, People, rhds.example.com dn: uid=testuser001,ou=People,dc=example,dc=com pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3DPeople\2Cdc\3example\2Cdc\3Dcom\,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1

1. Query attribute pwdpolicysubentry for user testuser, given that we have created a specific user password policy, the value of attribute pwdpolicysubentry should be that of the entry created for this user specifically. It can be concluded that even though a specific user password policy for user testuser was created, the attribute value pwdpolicysubentry for user testuser is set to the one for the People OU password policy and NOT for the user specific policy.

1. ldapsearch -H ldap://rhds.example.com:389 -D 'cn=Directory Manager' -W -b ou=People,dc=example,dc=com uid=testuser pwdpolicysubentry

Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=People,dc=example,dc=com> with scope subtree # filter: uid=testuser # requesting: pwdpolicysubentry #

1. testuser, People, rhds.example.com dn: uid=testuser,ou=People,dc=example,dc=com pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3DPeople\2Cdc\3example\2Cdc\3Dcom\,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com

1. search result search: 2 result: 0 Success

1. numResponses: 2 # numEntries: 1

1. The user specific password policy is ONLY applied when the People OU password policy is removed.

1. dsconf -D "cn=Directory Manager" -W ldap://rhds.example.com localpwp remove ou=People,dc=example,dc=com

Enter password for cn=Directory Manager on ldap://rhds.example.com: Successfully deleted subtree policy

1. Query attribute pwdpolicysubentry for user testuser, given that we have created a specific user password policy, the value of attribute pwdpolicysubentry should be the entry created for this user specifically. It can be concluded that the specific user policy was only applied when the People OU password policy was removed.

1. ldapsearch -H ldap://rhds.example.com:389 -D 'cn=Directory Manager' -W -b ou=People,dc=example,dc=com uid=testuser pwdpolicysubentry

Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=People,dc=example,dc=com> with scope subtree # filter: uid=testuser # requesting: pwdpolicysubentry #

1. testuser, People, rhds.example.com dn: uid=testuser,ou=People,dc=example,dc=com pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry_user\2Cuid\3Dtestuser\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom\,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com