ppolicy: pwdMinAge being enforced for managers

[Phil <1966phils@gmail.com>]

Hi all,

We're implementing a basic user directory with OpenLDAP and the ppolicy
attributes pwdMaxAge and pwdMinAge give use some desired functionality,
but we need the ability for managers to reset a user's password.

If we use the “rootdn” then this works, but we need to have other user
accounts designated as managers. Even if we define ACLs to give our
management group “manage” access we can still get the following from
ldappasswd:

Result: Constraint violation (19)
Additional info: Password is too young to change

Is there any way to designate a group of users as "managers" such that
pwdMinAge is not applied?

These are the ACLs we've tried without success to give the “UserAdmin”
group the rights:

cat <<__EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
  by self =xw
  by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" manage
  by anonymous auth
  by * none
olcAccess: to dn.base="ou=Users,${LDAP_SERVER_BASE}"
  by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" manage
  by * read
olcAccess: to dn.children="ou=Users,${LDAP_SERVER_BASE}"
filter=(objectClass=posixAccount)
  by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" write
  by * read
olcAccess: to dn.base="cn=UserAdmin,${LDAP_SERVER_BASE}" attrs=member
  by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" write
  by * read
olcAccess: to *
  by * read
-
__EOF

Thanks

Phil