Though why use SHA instead of the default SSHA (salted SHA)? Even CRYPT passwords have a salt.
And there ought to be a password expiry policy in place so users will need to change old passwords anyway. If LDAP is your authorative store for passwords, see man slapo-ppolicy.
Regards, Jeroen