In my opinion, the pwdPolicySubentry attribute should be read-only generated by the server.
We had made the error in Sun Directory Server to allow customers to set it manually, and it was very confusing that the attribute served 2 roles : a way to find the pwd policy entry applicable for the entry, and a way to set a different or new policy for an account. In OpenDJ ( and all other servers from the same code base) we use 2 different attributes. That separation made it easier to handle for applications and administrators. My 2 cents Ludo
