userPassword is *not* a "state-related attribute", please see 'man slapo- ppolicy'.
Note, that what this does mean is that you may be locked out on one slave, but not the others (and maybe not the provider), and simple reset-ing the password on the master may not be sufficient to unlock the account on the slaves, and the pwdAccountFailureTime attributes may not be cleared, meaning one more failed authentication may lock the account on a slave (especially in a load-balanced environment).
Nice :(
I work in load-balanced environment of course, so this supposes a potential and serious problem. Always I have the brute-force option: make the changes in the provider and restart the consumers to force the re-sync.
Once again ... :(