Pat Riehecky writes:
For political reasons I can only ask for one account to be checked for validity at a time... could take a few years to filter through them all....
OMG - I hope you are talking about checking old accounts, not new ones as well.
If there was a way I could store the timestamp of the last successful bind by this user in their entry (similarly to lastmod or create date) then after a year or three anyone who has no entry would be a candidate for further investigation....
The accesslog (record Binds) and ppolicy overlays (record changes, and expire old passwords).
In the long run, see if you can ensure future accounts get tied to an person ID from your personnel/student systems if you haven't already. This lets you push formalities of tracking who people are and who are responsible for knowing that, from IT staff who commonly have no clue, to student/employee admin staff who do.
For accounts whose owners can easily prove they are the owner, you can have a password expiry policy. Passwords get stolen and cracked, computers get hacked... you should limit the lifetime of a stolen password. Such unused accounts will stand out as a side effect of password expiry.
On the ldap side, the ppolicy overlay can help. You need a simple way for the users set new passwords, and a procedure for users whose accounts have been locked to get new passwords. Ask the local sysadmin and show ID, maybe. (And have mercy on the people who'll be asked for new passwords - don't expire 1000 password on the same day.)