Christian Marg writes:
Since userPassword is a multi-valued attribute, you could simply add a password just before an operator wants to start a "login as user"-session and remove it after a timeout. You'd just have to save the Password string you set in your "service-management software", so you can delete the right one after the operator session ends.
And that service-management's password store can be a tempPassword LDAP attribute. Stored _in addition_ to userPassword in LDAP.
If two operators want to log in as the same users at approximately the same time, do two tempPasswords get created? If so each must be associated with its own timestamp. In LDAP that's simplest done by putting the timestamp and password in the same attribute, e.g. with tempPasswordInfo = "timestamp#password". It should have Octet String syntax since userPassoword does.
Assuming he needs to create those passwords at all and can't use SASL like Dan suggested, of course.