Am 18.03.21 um 17:36 schrieb Michael Ströder:
On 3/18/21 5:06 PM, Uwe Sauter wrote:
Am 18.03.21 um 16:13 schrieb Dale Thompson - NOAA Federal:
There is a slightly sneaky way to get openldap to support any crypt the native OS will support with the {CRYPT} option.>
This solution gives you the nice opportunity to create shadow files from LDAP entries if needed.
Beware this requires to give read access to userPassword values to whatever syncs local /etc/shadow! Regarding security this is a real anti-pattern!
In my case the script generating and distributing the shadow file is running on the LDAP server which already has all the required authority.
Only replicas should have read access to userPassword.
Some systems still work better with local accounts
Whatever issues you might have to address in your deployment you should rather fix your LDAP integration instead of making your LDAP-based /etc/shadow remotely accessible.
This is sadly out of my reach.
Uwe
Ciao, Michael.