Re: SHA-256 Password Support and OpenLDAP2-2.4.46 SLES15SP2
Am 18.03.21 um 17:36 schrieb Michael Ströder:
On 3/18/21 5:06 PM, Uwe Sauter wrote:
> Am 18.03.21 um 16:13 schrieb Dale Thompson - NOAA Federal:
>> There is a slightly sneaky way to get openldap to support any crypt
>> the native OS will support with the {CRYPT} option.>
> This solution gives you the nice opportunity to create shadow files
> from LDAP entries if needed.
Beware this requires to give read access to userPassword values to
whatever syncs local /etc/shadow! Regarding security this is a real
anti-pattern!
In my case the script generating and distributing the shadow file is running on the LDAP
server
which already has all the required authority.
Only replicas should have read access to userPassword.
> Some systems still work better with local accounts
Whatever issues you might have to address in your deployment you should
rather fix your LDAP integration instead of making your LDAP-based
/etc/shadow remotely accessible.
This is sadly out of my reach.
Uwe
Ciao, Michael.