Easy:
* Make krb5 module return a suitable error when it's only passed crypted
passwords ("this password is already hashed -- it is of no use to me").
* Workalikes for various apps on other OSs:
http://docs.sun.com/ab2/coll.40.6/REFMAN1/@Ab2PageView/169291
http://docs.sun.com/ab2/coll.40.6/REFMAN1/@Ab2PageView/64438
http://docs.sun.com/ab2/coll.40.6/REFMAN1/@Ab2PageView/64530
http://www.uwsg.iu.edu/usail/man/solaris/logins.1.html
Medium:
* Add the -o option to luseradd/lusermod/lgroupadd/lgroupmod (bad idea?)
* Create variants of the apps that are hard-coded to use files only, for
use in batch environments like post-package-install, or maybe add a
--local flag, which will be interpreted as "shadow files"/"files"....
* Add a shadowGroup schema file if RFC 2307bis doesn't include one, or ask
Luke about adding one, and document what we expect an LDAP directory to
have in order for the ldap module to not get confused (for now, that's
the RFC 2307 schema + inetOrgPerson + TLS).
* Make the LDAP module check the server schema for allowed object classes
and attributes for new user additions and so on; right now it's kind of
a crap shoot to see if the server will reject an operation due to a schema
error.
Hard:
* Figure out how to reconcile lckpwdf() and fcntl() locking when the files
being locked may not even be the system's main files.
* Write a RADIUS back-end.
* Write an NIS or NIS+ back-end using yppasswd.x in glibc, or maybe using the
routines declared in /usr/include/rpcsvc/libnis.h
* Write a libdbi or ODBC back-end.
* Write a hesiod back-end.
* Implement an lgpasswd command for local group administration by the group's
administrators.