Quote:
Their suggestion is that we run in parallel a set of local configured users and a set of LDAP configured users and both methods can coexist without conflicts.
That sounds like a bad idea; however, it could be a good idea if the local files are updated regularly from the LDAP files. Your servers should have both a "pull" and a "push" mechanism. Password information changes should always be against the master LDAP server. These changes should be pushed right away.
The biggest risk is if you have a user who is fired/terminated, and you need to shut off their account right away. That's another reason why you need the "push".
LDAP supports replication, so what you can do is run an LDAP mirroring service on each server. Each service is basically a slave to the master one. I believe this supports the push/pull thing I'm talking about, but I'm not 100% sure.