For self-service password management, where the user knows the current password and wants to update it, the service account of the datastore must have the password validation details request control ACI. For self-service account recovery, where the user wants to define a new password after forgetting the current password, the user account needs the same ACI.
  1. Create LDIF files to capture the following ACI information.
    OID
    1.3.6.1.4.1.30221.2.5.40
    Name
    Password Validation Details Requerst Control
    Permission
    read

    The following examples show the example file contents for change password and password reset.

    aci_toSvcAccount_forChangePassword.ldif
    # ACI to service account for change password
dn: uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local
changetype: modify
add: aci
aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local";)
    aci_toUsrAccount_forPasswordReset.ldif
    # ACI to a user account for password reset
dn: uid=user.7,ou=People,dc=example,dc=local
changetype: modify
add: aci
aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=user.7,ou=People,,dc=example,dc=local";)
    Note:

    For demonstration purposes, this sample LDIF file only targets one user. You can use other LDIF syntax to widen its coverage to include multiple users.

  2. Use the ldapmodify command to configure the required ACI. 
    $ ldapmodify -f <path>/aci_toSvcAccount_forChangePassword.ldif 
-h <host name> 
-p <LDAP port> 
-D <LDAP bind username> 
-w <LDAP bind password>
    $ ldapmodify -f <path>/aci_toUsrAccount_forPasswordReset.ldif 
-h <host name> 
-p <LDAP port> 
-D <LDAP bind username> 
-w <LDAP bind password>
    Note:

    Line breaks are inserted for readability only.