Re: chaining and proxy

[Pierangelo Masarati <ando@sys-net.it>]

Howard Chu wrote:
> Pierangelo Masarati wrote:
> > Guillaume Rousse wrote:
> > > >  Hello.
> > > >
> > > >  I successfully setup the chain overlay, so as to push changes from a
> > > >  slave to a master, with something as:
> > > >  overlay             chain
> > > >  chain-uri           "ldap://ldap1.domain.tld";
> > > >  chain-idassert-bind bindmethod="simple"
> > > >                       binddn="cn=chain,ou=roles,dc=domain,dc=tld"
> > > >                       credentials="s3cr3t"
> > > >                       mode="self"
> > > >  chain-idassert-authzFrom "*"
> > > >  chain-tls           start
> > > >  chain-return-error  TRUE
> > > >
> > > >  I'm curious, tough, why the slave has to use a proxy identity to
> > > >  authenticate on the master, instead of reusing original query
> > > >  credentials. Is there something preventing it, or is just that all
> > > >  examples I found sofar were using it ?
>
> If by "original query credentials" you mean those of the user that first 
> attempted the write operation that got chained, that user's credentials 
> are no longer available. That's why you must use a proxy ID that has the 
> authority to act on the original user's behalf.

Also, there is no guarantee the master can auth that user, if the lave 
is not just a shadow of the master.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------