This should *not* be "by self write". The system should update the
shadowLastChange attribute automatically (at least, I just confirmed
that this happens on RedHat ES3/Openldap 2.1.23); the user should at the
most only be able to read it.
I agree with you that this is subject to abuse if the user knows about it.
However I can confirm that under RH ES 2.1/OpenLDAP 2.0.27-2.7.3 that if
this is not set this way, the user is unable to update the attribute when
they change their passwords themselves. The object is never updated and
they're perpetually prompted to change their passwords. Or at least,
that's what I've observed.