[Systems] Reset Expired LDAP Password

Bernie Innocenti bernie at codewiz.org
Tue Nov 26 19:28:23 EST 2019


On 27/11/2019 02.48, James Cameron wrote:
> I like that theory.  I've a vague memory of being in ldapvi and seeing
> some accounts are more equal than others.
> 
> If I knew how to convert an account from LDAP to ordinary /etc/passwd
> style, I'd do it.  We're not big enough to justify the effort on LDAP.

LDAP was once useful when SL accounts were spanning multiple servers, 
but now it just adds complexity. If it were my call, I'd just stop 
creating new shell accounts altogether, since they're no longer 
necessary for development and they cause a ton of sysadmin toil (not to 
mention the security concerns).

But the biggest pain point with LDAP seem to be periodic password 
expiration: that was useful to detect inactive accounts that could be 
removed, but expiring passwords is no longer common practice nowadays. 
We could easily change all expiry fields to 99999 with a search & 
replace in ldapvi. We could even delete all passwords, since they were 
only used for SMTP and IMAP.

To move all users out of ldap, simply pipe the output of ldapsearch into 
an awk / perl / python one-liner which converts the records. I'd 
probably do different one-liners to produce passwd, shadow and groups.

-- 
  _ // Bernie Innocenti
  \X/  https://codewiz.org/


More information about the Systems mailing list