There are two primary ways to change user passwords in the server:

  • Perform a modify operation which replaces the value of the password attribute (often userPassword).

    In some configurations, when a user attempts to change their own password, it might be necessary to perform the modification by removing the password value and adding the desired new value to demonstrate that the user knows the current password value.

  • Use the password modify extended operation to change the password.

    If a user is changing their own password, it might be necessary to provide the current password value. If the new password is acceptable to all configured password validators, the server provides a new password, or it can automatically generate a new password for the user.


Regardless of the mechanism used to change the password, all password values should be provided in cleartext rather than pre-encoded, and the user must have sufficient access control rights to update the password attribute in the target user’s entry.

When one user attempts to change the password for another user, the requester must have the password-reset privilege.