Thanks for the report.

I also noticed that pwmod always bails out if no pwdmgr dn is configured, even if it shouldn't be needed (ie. user changing own password).

The following patches solve these problems by requiring the old password to be supplied unless working as pwdmgr; by only allowing root to authc or pwmod as pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check if it's not configured.

ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch

I think this patch is a bit off; it prevents root from supplying the old pwd. (Which it must do if changing its own.)

ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch