There are two ways that they can do this; using the password modify extended operation or using a regular password modify operation.

This is straightforward when using the password modify extended operation because the request already includes a field for the user’s current password. If password-change-requires-current-password is true and the user does not provide the current password, then the operation is rejected. The attempt also fails if the provided current password is incorrect, and that is true regardless of the value of the password-change-requires-current-password property.

When using a regular LDAP modify operation, a user’s current password can be provided in a password change request by including two modifications in that request: one that deletes the current password and another that adds the new password.

dn: uid=jdoe,ou=People,dc=example,dc=com
changetype: modify
delete: userPassword
userPassword: oldPassword
add: userPassword
userPassword: newPassword

See the config/sample-dsconfig-batch-files/require-current-password-when-changing-passwords.dsconfig batch file for more information about requiring users to provide their current password when performing self password changes.