If you don't implement ACL calls, then you should probably just omit this attribute. If you do implement ACLs, then it may be OK to expose it. The Symas module implements shadow support, as well as AIX tcb, and Secureware (SCO, HPUX) mechanisms.userPassword: Set from pw_passwd [3]
[3] Probably useless in a shadowed environment.