A customer recently opened a ticket because LDAP Authentication to PAM stopped working. It turned out that the account was set to "Change Password on Next Login" and the LDAP server was configured with SSL Usageg set to Disabled. In order to resolve this problem the LDAP server was be configured with SSL Usage set to LDAPS. With this change made when the LDAP user logged in again a window opened prompting for a new password. When the new password was entered the user was logged in, and the new password was applied to the account on the Active Directory.
Good to know, thanks Ed.