Keychain password and LDAP password sync’ing

I am getting complaints from my users about their keychain password. Every time they change their login password (Kerberos/LDAP) they have to type in their old password until I can run Keychain first aid. This is unacceptable every 30 days. How can the key chain password be kept in sync with the login password automagically? TIA.