I don't really like using exception mechanism like this which are difficult to track for an administrator and may be abused by users if not protected appropriately.
In OpenDS we have some extended subtree specifications that allow to filter in or out users from the password policy definition itself.
I'm gonna be out for the next 3 weeks but will comment your emails related to the password policy when I'm back. I didn't get the time to do it before today.
> It is desirable to have a mechanism to exclude (or exempt) a user from the policy. For instance, it's nasty for various accounts associated with application entities (as opposed to humans) to be locked out.
> In the Isode implementation, we have an operational single-valued attribute, pwdExclude, which if present in the user's entry and has the boolean value TRUE exempts the user from all password policy enforcement.
> It would be good to add something like this to the spec.
> -- Kurt
> Ldapext mailing list
> Ldapext@... > https://www.ietf.org/mailman/listinfo/ldapext