Using sssd together with 389 directory server (password expiration policy and history activated), changing user password with the passwd command will print the error message:

Password change failed. Server message: Failed to update password

passwd: Authentication token is no longer valid; new one required

in the following cases:

- password has been changed less than a day ago

- password is in 389 server history

- password does not meet syntax constraints in 389 server

Since 389 server does say why it rejects passwords, is there a configuration on sssd side to have more details about why the password is rejected ?

I'm using sssd-1.16.2-13.el7_6.8.x86_64 (RHEL 7U6).

I have the following configuration:
[domain/default]

cache_credentials = True
ldap_search_base = dc=XXX
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://YYY
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]