This can occur when a user changes their own password on a connection authenticated as that user or when the request used to change the password includes the user’s current password. This includes all of the following:

  • When an authenticated client uses either a regular modify operation or a password modify extended operation to change the password for the account they used to authenticate, and when no alternate authorization identity has been requested.
  • When an authenticated client uses a regular modify operation or password modify extended operation to change the password for an account, and uses the intermediate client request control, proxied authorization request control, or SASL alternate authorization to request that the operation be processed under the authority of the user that owns the account whose password is being changed.
  • When a client uses the password modify extended operation to provide the current password for the account whose password is being changed. If the current password is provided, then this is considered a self-change regardless of whether the underlying connection is authenticated or the authenticated identity of that connection.
  • When a client uses a regular modify operation and includes the current password for the user whose password is being changed, even if that request is received on a connection authenticated as some other user.

The password policy configuration includes the following properties pertaining to a user’s ability to change their own password:

allow-user-password-changes
Indicates whether users are allowed to change their own passwords. If this is true (which is the default), then any user with access control permission to update their own password is permitted to do so (as long as the server considers the password acceptable). If this is set to false, then users are not allowed to change their own password regardless of the access control permissions that have been granted to them.
password-change-requires-current-password
Indicates whether users are required to provide their current password when choosing a new password.
allow-expired-password-changes
Indicates whether users are allowed to change their own password if it has already expired. If this is set to true, then they can use the password modify extended operation over an unauthenticated connection with both the current and desired new password.