The ldap implementations I have worked with have always prevented password retrieval. You can however, create a new attribute on the user object that stores a synchronized version of the password. Although guilty, I can't condone this as a Good Thing to do, however, if you limit access to that attribute you can minimize the risk.