After posting my article on ppolicy and OpenLDAP, I was asked whether it would be possile to create separate policies for different groups, rather than a single default.
There is a simple way to do this, pointed out to me by Gavin Henry of Suretec Systems on the OpenLDAP mailing lists:
"Every account that should be subject to password policy control should
have a pwdPolicySubentry attribute containing the DN of a valid
pwdPolicy entry, or they can simply use the configured default. In this
way different users may be managed according to different policies."
Therefore, the way to do it is to copy your cn=default,ou=policies,dc=example,dc=com to a new dn, such as cn=admins,ou=policies,dc=example,dc=com.
Then in each of your system admins, add the
*I'm currently waiting to work out how to apply ppolicy by group, rather than having multiple ppolicies applied individually.