Am 18.03.21 um 17:36 schrieb Michael Ströder:
> On 3/18/21 5:06 PM, Uwe Sauter wrote:
>> Am 18.03.21 um 16:13 schrieb Dale Thompson - NOAA Federal:
>>> There is a slightly sneaky way to get openldap to support any crypt
>>> the native OS will support with the {CRYPT} option.>
>> This solution gives you the nice opportunity to create shadow files
>> from LDAP entries if needed.
> Beware this requires to give read access to userPassword values to
> whatever syncs local /etc/shadow! Regarding security this is a real
> anti-pattern!
In my case the script generating and distributing the shadow file is running on
the LDAP server
which already has all the required authority.
> Only replicas should have read access to userPassword.
>
>> Some systems still work better with local accounts
>
> Whatever issues you might have to address in your deployment you should
> rather fix your LDAP integration instead of making your LDAP-based
> /etc/shadow remotely accessible.
This is sadly out of my reach.
Uwe
> Ciao, Michael.
>
