[Systems] Reset Expired LDAP Password
bernie at codewiz.org
Tue Nov 26 19:28:23 EST 2019
On 27/11/2019 02.48, James Cameron wrote:
> I like that theory. I've a vague memory of being in ldapvi and seeing
> some accounts are more equal than others.
> If I knew how to convert an account from LDAP to ordinary /etc/passwd
> style, I'd do it. We're not big enough to justify the effort on LDAP.
LDAP was once useful when SL accounts were spanning multiple servers,
but now it just adds complexity. If it were my call, I'd just stop
creating new shell accounts altogether, since they're no longer
necessary for development and they cause a ton of sysadmin toil (not to
mention the security concerns).
But the biggest pain point with LDAP seem to be periodic password
expiration: that was useful to detect inactive accounts that could be
removed, but expiring passwords is no longer common practice nowadays.
We could easily change all expiry fields to 99999 with a search &
replace in ldapvi. We could even delete all passwords, since they were
only used for SMTP and IMAP.
To move all users out of ldap, simply pipe the output of ldapsearch into
an awk / perl / python one-liner which converts the records. I'd
probably do different one-liners to produce passwd, shadow and groups.
_ // Bernie Innocenti
More information about the Systems