Sorry but does it mean that use of LDAP protocol is mandatory? I don't think so.
Thanks to NSS/PAM implementation, you could use passwd command (assuming ACL authorizes user to write its own entry, which I didn't check yet, but in any case, this should not be a blocking point).
If you still want to use LDAP, one way to achieve it could be to:
- run one step generating this new password and updating your reference LDIF file
- second step is to modify LDAP content using ldapmodify based on this LDIF file