Add support for a new model, CoPerson hasMany UnixAccount, holding attributes necessary for provisioning a UnixAccount. Items such as uidNumber and homeDirectory could be assigned similar to how identifiers can be assigned. gidNumber and loginShell would need some other behavior. gidNumber might be tied to CoGroup somehow, and loginShell might simply have a default value.
Perhaps UnixAccount would be instantiated from UnixServer or UnixCluster, which would hold the appropriate policies.