Re: chaining and proxy

[Howard Chu <hyc@symas.com>]

Pierangelo Masarati wrote:
> Guillaume Rousse wrote:
> > >  Hello.
> > >
> > >  I successfully setup the chain overlay, so as to push changes from a
> > >  slave to a master, with something as:
> > >  overlay             chain
> > >  chain-uri           "ldap://ldap1.domain.tld";
> > >  chain-idassert-bind bindmethod="simple"
> > >                       binddn="cn=chain,ou=roles,dc=domain,dc=tld"
> > >                       credentials="s3cr3t"
> > >                       mode="self"
> > >  chain-idassert-authzFrom "*"
> > >  chain-tls           start
> > >  chain-return-error  TRUE
> > >
> > >  I'm curious, tough, why the slave has to use a proxy identity to
> > >  authenticate on the master, instead of reusing original query
> > >  credentials. Is there something preventing it, or is just that all
> > >  examples I found sofar were using it ?

If by "original query credentials" you mean those of the user that first 
attempted the write operation that got chained, that user's credentials are no 
longer available. That's why you must use a proxy ID that has the authority to 
act on the original user's behalf.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/