password-change-requires-current-password property is set to
true, then users are required to provide their current password when choosing a new
There are two ways that they can do this; using the password modify extended operation or using a regular password modify operation.
This is straightforward when using the password modify extended operation because the request already includes a field for the user’s current password. If password-change-requires-current-password is true and the user does not provide the current password, then the operation is rejected. The attempt also fails if the provided current password is incorrect, and that is true regardless of the value of the password-change-requires-current-password property.
When using a regular LDAP modify operation, a user’s current password can be provided in a password change request by including two modifications in that request: one that deletes the current password and another that adds the new password.
dn: uid=jdoe,ou=People,dc=example,dc=com changetype: modify delete: userPassword userPassword: oldPassword - add: userPassword userPassword: newPassword -
batch file for more information about requiring users to provide their current password
when performing self password changes.