homepage

spwd.getspall() is returning LDAP (non local) users too. 
On RHEL 6.2 machine with LDAP authentication configured, spwd.getspall() 
is returning LDAP (non local) users too. On a similarly configured CentOS 6.2 machine, spwd.getspall() is returning only local users.
Is spwd.getspall() supposed to return LDAP users? (If yes, this should to documented). Why is spwd.getspall() behavior different on different Linux OSes?

Like passwd and group information, the shadow password entries are pulled through libc's Name Service Switch and modules for it, depending on configuration.
See "man nsswitch.conf".
Hence this is likely to be a configuration difference between the two boxes. Some notes from one of my Red Hat colleagues:
* Is a module listed in /etc/nsswitch.conf so that it'll be used to look
 up "shadow" information?
* Does the module support looking up shadow information?
 The libnss_ldap.so.2 stub from nss-pam-ldapd does; SSSD (at least
 version 1.8.3) doesn't.
* Are there shadowAccount entries in the directory server?
 An IPA server won't have them, because IPA makes use of the directory
 server's built-in password policy functionality to avoid depending on
 clients to enforce aging policies.
* Is the client performing the lookup authorized to read the shadow data
 from the directory server?
* Does the client perform any additional access control?
 The daemon in nss-pam-ldapd only exposes shadow information to
 processes running as UID 0.
etc
Hope this is helpful

Dave has explained the problem very well. I like to add one thing. The module just returns what your operation system's getspent() API returns. http://linux.die.net/man/3/getspnam
Please ask your vendor for more details, too.