This is a shot in the dark,
but have you tried specifying:
pam_password exop
..in /etc/ldap.conf?
I suggest this because you mention ldappasswd seems to do the job,
and
ldappasswd uses the password change extended operation to do its
work.
Good shot! It works now. Many thanks - I had looked at exop but for some
reason didn't try it ...
PK