18 Mar
2021
18 Mar
'21
9:36 a.m.
On 3/18/21 5:06 PM, Uwe Sauter wrote:
Am 18.03.21 um 16:13 schrieb Dale Thompson - NOAA Federal:
There is a slightly sneaky way to get openldap to support any crypt the native OS will support with the {CRYPT} option.>
This solution gives you the nice opportunity to create shadow files from LDAP entries if needed.
Beware this requires to give read access to userPassword values to whatever syncs local /etc/shadow! Regarding security this is a real anti-pattern!
Only replicas should have read access to userPassword.
Some systems still work better with local accounts
Whatever issues you might have to address in your deployment you should rather fix your LDAP integration instead of making your LDAP-based /etc/shadow remotely accessible.
Ciao, Michael.