Here is from the vas.conf man page:
check-uid-conflicts = <true | false>
Default value: false
To help avoid security problems that result from users sharing UIDs, the pam_vas module will perform a UID conflict check for each VAS user login to ensure that their UID is unique before they are granted access to the system. In the case that a given Unix system has applications that authenticate users but bypass the pam_authenticate() function call, you can set this option to true, which will cause nss_vas to perform a UID conflict check for users during the getpwnam function. If users have a UID conflict, then their login shell will be set to /bin/false or to the value of the access-denied-shell option.
Note that enabling this check does impact the performance of the getpwnam. Only enable this check if necessary and after verifying that the performance impact does not severely impact your environment.
The following example shows how to turn on UID conflict checking during getpwnam() calls for Active Directory Users handled by nss_vas.
check-uid-conflicts = true