In my case I would have to shelve ppolicy until all my clients had been converted - I have over 150 clients and 600 user accounts (under my control) but LDAP is not just used by PAM/NSS (if it were it would be easy) - there are undocumented usages in apache configs, Confluence, possibly webapps written in all manner of languages etc etc.
It's a real mess...