I am implementing LDAP on Linux based system using openldap.
My management objects to the idea that all individual users will authenticate against an LDAP server because “what if it is not available”
Their suggestion is that we run in parallel a set of local configured users and a set of LDAP configured users and both methods can coexist without conflicts.
I think it is a very bad idea but I cannot think of any good justification why it should be the case.
Besides the obvious that it is going to be very hard to maintain two separate methods for user management on multiple servers (about 20) and that it can create confusion when creating new users or disabling users.
Just to clarify, we have a cluster for the LDAP server and we have high availability.
Also, generic users that are required by the application or the database will stay on the local files.
I am talking about having some individual users managed locally in /etc/shadow and some using the LDAP server no synchronization between the two.
I know it sounds a horrible idea but I need to come up with some strong arguments to convince my “old fashioned” management.
I will appreciate any argument either way.
thanks

That sounds like a bad idea; however, it could be a good idea if the local files are updated regularly from the LDAP files. Your servers should have both a "pull" and a "push" mechanism. Password information changes should always be against the master LDAP server. These changes should be pushed right away.

The biggest risk is if you have a user who is fired/terminated, and you need to shut off their account right away. That's another reason why you need the "push".

LDAP supports replication, so what you can do is run an LDAP mirroring service on each server. Each service is basically a slave to the master one. I believe this supports the push/pull thing I'm talking about, but I'm not 100% sure.