Duh, I seem to be tired - I forgot you didn't want that privileged user, I focused on the "password works only once" part.
Well. _Something_ needs permission to create a temporary password. Presumably without removing the old one, otherwise anyone can sabotage anyone's password. Which probably kills the ppolicy idea since that gets confused by multiple passwords.
Maybe you could have a separate database or two with passwords, merged to the main one with the translucent overlay... Then the Drupal DN would at least play with its own database and not mess with the main database.
Another way would be to require clients to use SASL instead of Simple Bind. Then you can defer the problem to maintaining a SASL database of temporary password.
Just loose ideas, I'm not going to try harder to make sense now...