I have created password policy by following procedure mentioned for OpenLDAP But I don't observed its effect when I change password of user through extended operation. I get the response control but it has only warning instead of error.
So question is what is missing from my side ? How to enforce password policy to use extended operation for resetting password ? Once I define password policy would it be applicable for all existing users in OpenLDAP server? Or it will be applicable for new user only?
You must not use the ManagerDN account for anything yourself. It bypasses all overlays and gives you infinite access to the DIT, which you don't want.
Your applications should run as users with entries in the DIT which are given appropriate permissions in the configuration.
I've defined admin groups for that, that all the applications and the human administrators are part of, which makes the configuration simpler (and adding/changing admins or applications later much simpler). Mine goes something like this, in slapd.conf syntax: converting it to slapd.d online syntax is left as an exercise for the reader. Note that you'll have to change the base DNs etc to suit your own DIT, maybe the group classes and attribute names as well.
access to attrs=userPassword
by dn.exact="cn=Manager,dc=XXX,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=LDAP admins,ou=Groups,dc=XXX,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=Applications,ou=Groups,dc=XXX,dc=com" write
by anonymous auth
by self write
by * none
access to *
by self write
by dn="cn=Replicator,dc=XXX,dc=com,c=us" write
by dn.exact="cn=Manager,dc=XXX,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=LDAP admins,ou=Groups,dc=XXX,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=Applications,ou=Groups,dc=XXX,dc=com" write
by users read
by anonymous search
by * none
Note that this setup also allows users to change their own passwords, so you can now bind as the user when doing that.