No, the unicodePwd
attribute will reject changes made if the connection is not secure.
It's also very finicky about formatting of the raw LDAP (UTF-16 for the password strings is required), as well as permission enforcement.
For resetting a password (changing it without knowing the old one), the user that bound to LDAP needs to have the "Reset Password" permission on the target user. If you're doing this, you must use the replace
operation.
For changing a password (knowing the old and the new), you don't need to be bound to LDAP as any particular user (assuming that you've left the default permissions in place for "Change Password"). However, you need to send both a delete
LDAP change with the correct old password, as well as an add
type change with the new password, in the same operation.
See the documentation for the unicodePwd
attribute for more information.