OpenLDAP to 389-DS: Can I have "named password policies"?

Question

I'm trying to understand how "password policy" works in 389-DS, compared to OpenLDAP 2.4:

In OpenLDAP 2.4 I could define multiple "named" password policy entries, and assign those to user entries. For example I had a policy "interactive users" (personalized) and a policy "system users" (shared accounts), both with different settings.

In 389-DS is seems (despite that the whole concept seems quite different) that I can only have to choices:

1. Define a global policy that applies to every user
2. Define per user individual attributes

So when I want to verify that users have a specific policy that would be quite some work. Likewise when I update a policy.

So is my understanding correct? I'd like to define and use "named" password policies even in 389-DS.

Answer 1

It seems you cannot really have "named" password policies, but there seems to be a mechanism that virtually adds attributes as described in the Netscape Directory Server Deployment Guide: "A class of service (CoS) allows you to share attributes between entries in a way that is invisible to applications. With CoS, some attribute values may not be stored with the entry itself. Instead, they are generated by class of service logic as the entry is sent to the client application."

(This answer is still incomplete; I'll update it once I've verified things work as expected)

Chapter 4. Configuring time-based account lockout policies in Managing access control (of the Redhat Directory Server 12) describes the steps (create CoS template, create CoS definition entry), but not the concepts (e.g. cosSuperDefinition, cosPointerDefinition) behind. So it's really hard to apply the pattern.