Posted Mar 22, 2012 5:20 UTC (Thu) by ringerc (subscriber, #3071)
Parent article: Shadow hardening
I struggle to understand the appeal of this when LDAP auth solves so many problems already. About the only big issue is that it's painfully hard to get a Linux distro to use *only* LDAP because there's too much that still assumes /etc/passwd rather than going through NSS.
In particular, distro package config scripts are frequently guilty of trying to create or update users in /etc/passwd and /etc/group, with no mechanism offered to switch them to using LDAP. This tends to leave systems with a split auth setup, where some users and groups are local and some are in the directory. When you want to add a directory user to a local group, this becomes a nightmare.
Please: scrap the file-based auth, and move to LDAP.