Index: pam/pam.c
===================================================================
--- pam/pam.c	(revision 1711)
+++ pam/pam.c	(working copy)
@@ -363,6 +363,18 @@
     READ_BUF_STRING(fp,ctx->authzmsg);)
 }
 
+static int nslcd_request_config(pam_handle_t *pamh,struct pld_ctx *ctx,struct pld_cfg *cfg,
+                               int cfgopt,char **value)
+{
+  PAM_REQUEST(NSLCD_ACTION_CONFIG_GET,
+    /* log debug message */
+    pam_syslog(pamh,LOG_DEBUG,"nslcd request config (%d)",cfgopt),
+    /* write the request parameter */
+    WRITE_INT32(fp,cfgopt),
+    /* read the result entry */
+    READ_BUF_STRING(fp,*value);)
+}
+
 /* remap the return code based on the configuration */
 static int remap_pam_rc(int rc,struct pld_cfg *cfg)
 {
@@ -550,6 +562,7 @@
   struct pld_ctx *ctx;
   const char *username,*service;
   const char *oldpassword=NULL,*newpassword=NULL;
+  char *prohibit_message;
   struct passwd *pwent;
   uid_t myuid;
   /* set up configuration */
@@ -557,6 +570,16 @@
   rc=init(pamh,&cfg,&ctx,&username,&service);
   if (rc!=PAM_SUCCESS)
     return remap_pam_rc(rc,&cfg);
+  /* check if password modification is allowed */
+  rc=nslcd_request_config(pamh,ctx,&cfg,NSLCD_CONFIG_PAM_PWD_PROHIBIT_MSG,&prohibit_message);
+  if ((rc==PAM_SUCCESS)&&(prohibit_message!=NULL)&&(prohibit_message[0]!='\0'))
+  {
+    /* we silently ignore errors to get the configuration option */
+    pam_syslog(pamh,LOG_NOTICE,"password change prohibited: %s; user=%s",prohibit_message,username);
+    if (!cfg.no_warn)
+      pam_error(pamh,"%s",prohibit_message);
+    return remap_pam_rc(PAM_PERM_DENIED,&cfg);
+  }
   /* see if we are dealing with an LDAP user first */
   if (ctx->dn==NULL)
   {
Index: nslcd.h
===================================================================
--- nslcd.h	(revision 1711)
+++ nslcd.h	(working copy)
@@ -71,6 +71,16 @@
    1.0 release of nss-pam-ldapd is made. */
 #define NSLCD_VERSION 1
 
+/* Get a NSLCD configuration option. There is one request parameter:
+    INT32   NSLCD_CONFIG_*
+  the result value is:
+    STRING  value, interpretation depending on request */
+#define NSLCD_ACTION_CONFIG_GET        20006
+
+/* return the message, if any, that is presented to the user when password
+   modification through PAM is prohibited */
+#define NSLCD_CONFIG_PAM_PWD_PROHIBIT_MSG  852
+
 /* Email alias (/etc/aliases) NSS requests. The result values for a
    single entry are:
      STRING      alias name