Cool exactly what I've been looking for.
Another question relates to offline caching. I've testing it and it has been working well. However I've seen a situation where credentials are not used in offline mode. I've used iptables to simulate an unreachable ldap server by blocking port 636.
It seems to retry a few time to access the ldap server and to fail without trying to use cached passwords