root# useradd -S ldap fooldap: operation failed.ldap shadow database update failed for foo.UX: useradd: ERROR: Cannot update system - login cannot be created.
Despite the error message, the account was actually created. After some debugging and with some help from my colleague Michen Chang, we found the root cause. Apparently OpenLDAP is stricter than ODSEE when interpreting INTEGER attributes, and rejects unspecified values. In particular, the attributes shadowInactive and shadowExpire in nis.schema must be specified. These correspond to the useradd option -f and -e, but I didn't want these options to be required.
An easy workaround is to set defaults for these attributes, as follows:
root# useradd -D -e 1/17/2038 -f 365group=staff,10 project=default,3 basedir=/export/homeskel=/etc/skel shell=/usr/bin/bash inactive=365expire=1/19/2038 auths= profiles= roles= limitpriv=defaultpriv= lock_after_retries=
Now I can easily create accounts without getting that error message. The accounts will be valid until 2038 (when the 32 bit UNIX system time overflows) as long as the user logs in at least once a year.