Ldapv3, filtering, exposing

Hey, We have a novell network with lots of users, we also have a mac server which will be replaced shortly. Currently the two systems are not integrated, but i'm working on getting the users to be able to use their novell logins to access the macs on the new server (mavericks). I've got the login working using ldap, but there are som issues that i would like to get input on.

----------------------------------> details <---------------------------------------

1. Currently the ldap users do not have a posixaccount, hence no uidnumber, i've put together a simple piece of software that "mac-enables" an account, so you browse the novell tree, click a user and with a button-press the ldap-account gets objectclass posixgroup added and a generated uid, and is also added to a group called "macusers". this works fine. What doesnt, is the server manager on the mac server. It starts reading the user list, then crashes with an exception, nsinvalidargumentexception "attempt to insert nil object from objects[1082]".

Now, there are about 1200 users in the dn supplied, where there might be about 50 users that will actually need to be read. They are in different OU's below this though, and cannot be moved to another OU due to this DN being a school, and there are some users in each class that need mac access. the best solution would be to just add a filter that makes the server only read those which have objectClass=posixAccount, the rest aren't interesting. but i cant find anything in the config files etc to make this happen. Any ideas?

2. When this ldap server is setup on the server, i can login to the server using these accounts, is there any way to expose these accounts from the server to the server's clients? so that opendirectory gets the users from ldap and redirects them to the clients, instead of connecting each client to the novell ldap server? not a big deal, but will make stuff easier to configure.