Jakub Hrozek wrote:
On Tue, Nov 29, 2016 at 03:40:26AM -0000, kevin4sullivan(a)gmail.com
> I don't want to
> cache credentials and I can't guarantee that the account will have been
> used to login before LDAP is offline.
Please note that the credential caching does not actually cache
plaintext passwords, but only password hashes. Moreover, the cache is
only accessible to the root user.
Very good for the security. But this password caching requires that the user has
done a successful login at least once before. That's not true in practice
because in the DevOps world admins spin up and configure VMs and containers
without even accessing them. Even if one admin used his password during initial
setup the admin trying to solve a problem during the night shift likely did not
enter his password before.
Pick your poison:
1. securely organize temporary(!) emergency access
2. LDAP deployment has to be available all times
3. sync user account and password hashes to /etc/passwd and /etc/shadow