How to fully integrate an OSX Environment with an existing LDAP directory?

Howdy! I've walked into an environment that heavily relies upon an RFC2307-compliant LDAP server. I've even gotten my Leopard-based systems to talk with it AND use 802.1X authentication over the ethernet cable upon login. Really cool. However, we want to start enforcing policies on our users (screen locks, etc) and the easiest way to do that is through the Workgroup Manager and an OS X setup. I can think of a few ways to do this.... 1) Have my OS X clients STOP using our existing LDAP server and point them to a new OpenLDAP setup on a spare XServe we have. This OpenLDAP setup will be initially populated with data from our LDAP setup. Password changes would happen via our password reset website and a special job would then sync the password change. 2) Add OSX attributes to our existing LDAP server 3) Find a way to do some kind of LDAP referral so that when a client looks for attributes that aren't there on the normal/primary/RFC2307 LDAP server the request is forwarded to the OSX LDAP server(?) ... What different paths have you taken and what do you recommend as the most successful? Is there something I'm missing? Do LDIF templates exist so we can add the extended OSX attributes for our existing LDAP scheme? Thank you!