Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide

Modifying Passwords From the Command Line When pwdSafeModify Is TRUE

When the password policy for a user has pwdSafeModify set to TRUE, the old password must be provided with the new password to change the password. The command dsconf set-server-prop pwd-safe-modify-enabled:on has the same effect for the default password policy.

You can use the ldappasswd(1) command to change the password. This command provides support for safe password modification. This command implements RFC 3062, LDAP Password Modify Extended Operation

You can use the ldapmodify(1) command to change the password. The LDIF that you pass to the ldapmodify command in that case should be as follows:

dn: DN of user whose password you are changing
changetype: modify
delete: userPassword
userPassword: old password
-
add: userPassword
userPassword: new password

You can also use the LDAP password modify extended operation. Setting up support for the extended operation is explained in To Reset a Password With the Password Modify Extended Operation.