LDAP for pbuttwords ONLY

I run a Linux file and web server for a small unit of a larger university. The university maintains an LDAP server that has all faculty, staff, and students in it, and includes their main pbuttword which is used for e-mail and other online services.

What I would like to do is configure Linux on the machine so that already-existing users configured inetc-pbuttwd andetc-shadow could use their university pbuttword for shell logins and Samba access, but that all other configuration settings, such as which groups they are in, the groups themselves, etc., would continue to be maintained locally on our Linux server. If I want to grant another user access, I would like to simply be able to add them into our server, being careful to give them the same login name as their existing campus username, set their group memberships and so on for our server, and then allow them to log in using their LDAP-authenticated pbuttword.

But, all the configuration examples that I have seen basically require you to turn over administration of users completely over to LDAP, with the exception of certain accounts which you can select to completely maintain locally (including the pbuttword). I want the middle ground, in which existence of, and group membership, shell setting, name, etc., for the users is managed locally on the machine, and only the pbuttword is authenticated with LDAP.

The university IT department, which maintains the LDAP server, knows nothing of the particular groups and access settings that I want to make on our unit's server, and I would prefer to leave it that way.

Any ideas? Have I missed something obvious here?