What I ended up doing to deal with this was write a script that checks if
any local users exist on the IPA server. If they do then it updates the UID
and GID and user's homedir permissions to match what's in IPA.
Maybe not exactly what you're looking for but it worked for us as we
transitioned from local auth to FreeIPA. That and the consistent ID's are
nice.