Generate and deliver a single-use token to a user through some out-of-band mechanism. The user can provide that token to the password modify extended request in lieu of the user's current password in order to select a new password.
deliver-password-reset-token {arguments} deliver-password-reset-token --hostname server.example.com --port 389 \
--bindDN uid=password.admin,ou=People,dc=example,dc=com \
--bindPassword password \
--userDN uid=test.user,ou=People,dc=example,dc=com \
--deliveryMechanism SMS --deliveryMechanism E-Mail \
--messageSubject "Your password reset token" \
--fullTextBeforeToken "Your single-use password reset token is '" \
--fullTextAfterToken "'." \
--compactTextBeforeToken "Your single-use password reset token is '" \
--compactTextAfterToken "'."