This is my setup:

Server: Openldap 2.4.39 installed on RHEL7 
Ldap clients: RHEL7 and RHEL5

I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected.

Now I need to allow users to reset their ldap password after logging in to an ldap client. This is what is logged when a user attempts to reset their password using passwd:

rhel7 ldap client:
# passwd
Changing password for user real
Current password:
New password:
Retype new password:
passwd: Authentication token manipulation error

rhel7 ldap server: /var/log/secure
pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd
pam_sss(passwd:chauthtok): Password change failed for user real: 28
(Module is unknown)
Gkr-pam: couldn’t update the login keyring password: no old password was
Entered

In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange':

dn: olcDatabase={2}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by anonymous auth by * none
olcAccess: {1}to * by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by * read

However that did not work, on the ldap clients I get this on the logs:
pam_unix(sshd:auth): authentication failure
pam_sss(sshd:auth): authentication failure
pam_sss(sshd:auth): received for user reaL 4 (System error)

This is the /etc/pam.d/system-auth file on the rhel7 ldap client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 authtok_type=
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
~                                     

What other directive do I need to set to allow users to reset their ldap password when they call passwd?

Thank you,
Liz