I got this working on Centos 6 using the following for password-auth-ac / system-auth-ac.
#%PAM-1.0
# pam_succeed_if.so in auth MUST be sufficient
# pam_succeed_if.so in account does not currently work with uid under 500 and pwdReset:TRUE in OpenLDAP
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
#account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account sufficient pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so