https://bugs.openldap.org/show_bug.cgi?id=7084

--- Comment #2 from Ondřej Kuzník ondra@mistotebe.net --- How about deciding whether this is an administrator by checking whether the authorization identity is the same as the entry DN? For those, we can add pwdReset to the modify unless already specified.

The concern is there might be management frontends that use a common identity for their LDAP requests and don't do ProxyAuthZ, do we just force them to do the right thing now?