What i did is retrieve users by OU, by SN.
for each OU :
ldap call : (sn=A*)
ldap call : (sn=B*)
And you can add this ldap filter as an input variable. This way, when a users is modified in your directory, you can call your pam process to update a single user.
So once the complete sync is done, it will run several times trough the day for every modification in your directory.
This is what we did here.