On 3/18/21 5:06 PM, Uwe Sauter wrote:
> Am 18.03.21 um 16:13 schrieb Dale Thompson - NOAA Federal:
>> There is a slightly sneaky way to get openldap to support any crypt
>> the native OS will support with the {CRYPT} option.>
> This solution gives you the nice opportunity to create shadow files
> from LDAP entries if needed.
Beware this requires to give read access to userPassword values to
whatever syncs local /etc/shadow! Regarding security this is a real
anti-pattern!Only replicas should have read access to userPassword. > Some systems still work better with local accounts Whatever issues you might have to address in your deployment you should rather fix your LDAP integration instead of making your LDAP-based /etc/shadow remotely accessible. Ciao, Michael.
