centos - pam ldap password reset on terminal -

i have solaris machine running connected ldap. users can login using credentials stored in ldap. when user forgets his/her password, can reset password in ldap , force user pick new password after successful login (terminal , gui).

trying on centos using pam not work (login screen rejects password if wrong) or not quite sure how configure pam.

/etc/pam.d/password-auth-ac looks this:

#%pam-1.0 # file auto-generated. # user changes destroyed next time authconfig run. auth        required      pam_env.so auth        sufficient    pam_unix.so try_first_pass auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success auth        sufficient    pam_ldap.so use_first_pass auth        required      pam_deny.so  account     required      pam_unix.so broken_shadow account     sufficient    pam_localuser.so account     sufficient    pam_succeed_if.so uid < 1000 quiet account     [default=bad success=ok user_unknown=ignore] pam_ldap.so account     required      pam_permit.so  password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok password    sufficient    pam_ldap.so use_authtok password    required      pam_deny.so  session     optional      pam_keyinit.so revoke session     required      pam_limits.so -session     optional      pam_systemd.so session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session     required      pam_unix.so session     optional      pam_ldap.so 

/etc/nsswitch.conf looks this:

passwd:     files sss ldap shadow:     files sss ldap group:      files sss ldap netgroup:   files sss ldap ... 

i looked configuration on solaris machine thing ancient...

so again, need when user logs on his/her password, terminal ask user change password. appreciated.