My
strong recommendation for you is ... make
everything LDAP,
nothing local, if you are using LDAP at all.
The "local user" could easily become an unknown, unseen, and therefore unmanageable
back door to a corporate system that is relying on centrally-managed LDAP authorization/authentication. "Out of sight = out of mind." Use LDAP to authenticate everything, including local logins to the machines. If you / your-company has (wisely ...) chosen to "centrally manage everything," then there should be nothing that is [i]not[i] centrally-managed; nor should there be any capacity to do so.
(Sounds a bit strong and harsh there ... oh well, not intended as such ... just my )