It seems the "ldap passwd sync" option doesn't set shadowLastChange, am I right? Without it, unix users could be prompted to change their password even though they have already done so via windows.