Thanks Rob.
I ended up creating a script that loops over each user via "ipa user-find" and
then uses "ipa user-show" to check for password existence. I'm filtering
the user-find by a specific user group, but the LDAP search could probably do that too and
probably is much faster.