Let me ask two theoretical questions, before I submit my comments below. Windows XP/2000/et. al. send their passwords via SMB hashed. So, without configuring those workstations to send the passwords plaintext over the wire, is there any way for ppolicy to act on the ldapmodify initiated by Samba from Windows clients attempting to change their passwords?
You do *NOT* need to configure the clients to use cleartext password - which BTW would break domain functionality anyway.
Samba has a cleartext equivalent of the password when you do a password change, else how would password chat scripts work?
Furthermore, if the above change is made so that ppolicy can evaluate the plaintext password, what exactly will the interaction between LDAP and the clients be if it fails to clear ppolicy constraints?