Exporting local users for use in a remote directory
I have a Fortigate cluster with some VPN users defined as local password users with 2fa. I'd like to export these users for use in a directory server in order to apply additional login policies (such as inactivity block, or failed login block, etc).
I'd like to do this in the least disruptive way possible, which means I'd like to somehow take the users current passwords and import them into the directory server.
I understand that the password are in a one way hash but since they are hashed in SHA256 (I think), I thought I could use them in a system that understands that hash. Unfortunately I haven't found a way to convert them into a format another directory (for example, unix shadow file) can understand it.
According to Fortigate hardening guide it is base64 encoded, but when I decode the string I get unprintable characters. Are they supposed to be a file?
I know the first characters likely denote the kind of hashing ("$S2$ for SHA-256?) but what else can I do to convert the rest into a Unix readable password?
Thanks for the help.