I'm running an ssh server which is a NIS client.
In order to restrict the access I added
+:::::::::/usr/pkg/bin/scponly at the end of /etc/master.passwd.

Now I'd like to replace NIS with OpenLDAP.
Everything is OK with databases/nss_ldap and security/pam-ldap
except that I can't figure out how to locally override the shell.

I copied /usr/pkg/share/examples/nss_ldap/nsswitch.ldap
to /etc/nsswitch.conf. Here's an excerpt:

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:         files ldap
group:          files ldap

The above comment doesn't sound good.
Any suggestion?

Regards,
Thierry.