Use the passwd command to change a password. If the enableShadowUpdate switch is not enabled, the userPassword attribute must be writable by the user as well as by the administrator credentials. The serviceAuthenticationMethod for passwd-cmd overrides the authenticationMethod for this operation. Depending on the authentication method, the current password might be unencrypted.
In UNIX authentication, the new userPassword attribute is encrypted with the UNIX crypt format. The attribute is tagged before being written to LDAP. Thus, the new password is encrypted, regardless of the authentication method used to bind to the server. See the pam_authtok_store(5) man page for more information.
If the enableShadowUpdate switch is enabled, the pam_unix_* modules also update the related shadow information when the user password is changed. The pam_unix_* modules update the same shadow fields in the local shadow files that the modules update when the local user password is changed.
The pam_ldap module's support for password update has been replaced by the pam_authtok_store module with the server_policy option. When you use pam_authtok_store, the new password is sent to the LDAP server unencrypted. To ensure privacy, use TLS. Otherwise, the new userPassword becomes subject to snooping.
If you set an untagged password with Oracle Directory Server Enterprise Edition, the software encrypts the password by using the passwordStorageScheme attribute. For more information about the passwordStorageScheme, see the section on user account management in the Administration Guide for the version of Oracle Directory Server Enterprise Edition that you are using.
If NIS or any other client that uses UNIX authentication uses LDAP as a repository, then you must configure the passwordStorageScheme attribute with crypt. Also, if you use sasl/digest-MD5 LDAP authentication with the Oracle Directory Server Enterprise Edition, you must passwordStorageScheme to clear text.