To indicate that a user should be subject to a particular password policy (rather than automatically inheriting the default policy), include the ds-pwp-password-policy-dn operational attribute in that user’s entry with a value equal to the DN of the desired password policy for that user. This attribute can be explicitly included in a user’s entry, or it can be generated by a virtual attribute, which makes it easy to apply a custom password policy to a set of users based on a flexible set of criteria.

  1. Create a file (assign.ldif) with the following contents:
    dn: uid=user.1,ou=People,dc=example,dc=com 
    changetype: modify
    add: ds-pwp-password-policy-dn 
    ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config
  2. Use ldapmodify to apply the modification to the user’s entry.
    $ bin/ldapmodify --filename assign.ldif