I'm trying to set my OpenDJ LDAP to not allow users to change their password via an LDAP browser. Currently I'm testing this on Apache Directory Studio. In OpenDJ, I've set ds-cfg-allow-user-password-changes: false, but I'm still able to use the browser to create a new password. Am I missing something? This seems to be the only property in OpenDJ's java.properties that would control this.
The configuration attribute in the default password policy ds-cfg-allow-user-password-changes controls whether a user is allowed to change his own password. My guess is that with Apache Directory Studio, you are authenticated as an Administrator who has permissions to change passwords. You can also control read-write permissions to the userPassword attribute with Access Controls. The default global ACIs are allowing a user to write the attribute only in its own entry.