Hi,
passwd goes through pam so there may be a pam module that lets you disallow passwd changes based on e.g. group membership (which you could set for all your ldap users). Maybe worth to ask at the pam mailinglist! https://listman.redhat.com/mailman/listinfo/pam-list
Best,
Luke