This topic comes up in search without a proper answer. The solution appears to be. 1. Set the pwdMustChange:TRUE in policies object (dn: cn=default,ou=Policies,dc=my,dc=com) 2, when creating <user> set pwdReset: TRUE after creation of <user> using update (ldapmodify), this will lock out the <user> from logins of that account (but not password changes). 3. Edit or create a login script to check if pwdReset is true (or some other method) and force <user> to change user password through ldap Step 3 may or may not be easy to setup in your environment, for instance a special guest login for password changes could work.
Important is to note that you cannot login to the created <user> using su <user> when pwdMustChange:TRUE is set and pwdReset: TRUE is set for <user>, but the user is still allowed to change the password from another user using ldap to set <user> password.