When the password policy for a user has pwdSafeModify set to TRUE, the old password must be provided with the new password to change the password. The command dsconf set-server-prop pwd-safe-modify-enabled:on has the same effect for the default password policy.
You can use the ldapmodify(1) command to change the password. The LDIF that you pass to the ldapmodify command in that case should be as follows:
dn: DN of user whose password you are changing changetype: modify delete: userPassword userPassword: old password - add: userPassword userPassword: new password
You can also use the LDAP password modify extended operation. Setting up support for the extended operation is explained in To Reset a Password With the Password Modify Extended Operation.