[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining and proxy

Pierangelo Masarati wrote:
Guillaume Rousse wrote:
>  Hello.
>  I successfully setup the chain overlay, so as to push changes from a
>  slave to a master, with something as:
>  overlay             chain
>  chain-uri           "ldap://ldap1.domain.tld";
>  chain-idassert-bind bindmethod="simple"
>                       binddn="cn=chain,ou=roles,dc=domain,dc=tld"
>                       credentials="s3cr3t"
>                       mode="self"
>  chain-idassert-authzFrom "*"
>  chain-tls           start
>  chain-return-error  TRUE
>  I'm curious, tough, why the slave has to use a proxy identity to
>  authenticate on the master, instead of reusing original query
>  credentials. Is there something preventing it, or is just that all
>  examples I found sofar were using it ?

If by "original query credentials" you mean those of the user that first attempted the write operation that got chained, that user's credentials are no longer available. That's why you must use a proxy ID that has the authority to act on the original user's behalf.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/