I like this idea Lukas.  That sounds a good way to go.

In the mean time, I create a environment function called passwd that simply print a message explaining the users how to change their passwords.

Thanks,
Bernard



On Sat, Oct 22, 2016 at 5:56 AM, Lukas Erlacher <erlacher@in.tum.de> wrote:
Hi,

passwd goes through pam so there may be a pam module that lets you disallow passwd changes based on e.g. group membership (which you could set for all your ldap users). Maybe worth to ask at the pam mailinglist! https://listman.redhat.com/mailman/listinfo/pam-list

Best,
Luke