man slapo-ppolicy を確認すると pwdAccountLockedTime について以下のように書かれていました。 この属性に 000001010000Z という値を設定すると永久にユーザはロックされるそうです。
1 2 3 4 5 6 7 8 910111213141516171819
pwdAccountLockedTime
This attribute contains the time that the user's account was locked.
If the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
( 1.3.6.1.4.1.42.2.27.8.1.17
NAME 'pwdAccountLockedTime'
DESC 'The time an user account was locked'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation)
<template><name>AccountLock</name><description>Account Lock Attribute (pwdAccountLockedTime)</description><author>sig9</author><version>1.0</version><email>sig9@sig9.org</email><rdn>cn</rdn><extends>user</extends><attribute><name>objectclass</name><value>top</value><value>pwdPolicy</value></attribute><attribute><name>pwdAttribute</name><value>userPassword</value></attribute><attributetype="text"><name>pwdAccountLockedTime</name><description>This attribute holds the time that the user's account was locked.</description><controltype="combolist"><items><item><value>000001010000Z</value><caption>Lock</caption></item></items></control></attribute></template>