I was trying to get the reset by email tokens to work with the OpenLDAP backend, and getting a message that the password was refused by the LDAP backend. But as I think about it, that makes sense–the config I’m using has the user resetting his own password, which would mean that user needs to be authenticated. If the user hasn’t entered his password, he isn’t authenticated. Bother.
I have working templates that will do the job for the direct password reset using OpenLDAP, so I think I’ll write that up and adjust as needed.