We had a few LDAP rolling upgrades over the past few days. When puppet realize a User type, it apparently detects a provider of the user. When LDAP works, it does not create the user, but whenever LDAP does not, puppet fallbacks to adduser and creates a local user.
An example is the beta cluster which recently had a local 'mwdeploy' user being created by puppet on deployment-rsync01 and deployment-bastion. The process we run (such as scap) ends up altering / creating files with the local UID and whenever LDAP comes back we have a few permissions errors all over the place.
Puppet User supports a 'provider' attribute which can be set to 'ldap'. Bryan suggested to use hiera to set that on labs.