When the password policy for a user has pwdSafeModify set to TRUE, the old password must be provided with the new password to change the password. The command dsconf set-server-prop pwd-safe-modify-enabled:on has the same effect for the default password policy.
The following command lets Barbara Jensen change her own user password, connecting over simple authentication:
$ ./ldappasswd -h host -D uid=bjensen,ou=people,dc=example,dc=com \ -j old.pwd -T new.pwd -t old.pwd uid=bjensen,ou=people,dc=example,dc=com ldappasswd: password successfully changed
You can also use the LDAP password modify extended operation. Setting up support for the extended operation is explained in To Reset a Password With the Password Modify Extended Operation.