[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining and proxy

Howard Chu wrote:
Pierangelo Masarati wrote:
Guillaume Rousse wrote:
>  Hello.
>  I successfully setup the chain overlay, so as to push changes from a
>  slave to a master, with something as:
>  overlay             chain
>  chain-uri           "ldap://ldap1.domain.tld";
>  chain-idassert-bind bindmethod="simple"
>                       binddn="cn=chain,ou=roles,dc=domain,dc=tld"
>                       credentials="s3cr3t"
>                       mode="self"
>  chain-idassert-authzFrom "*"
>  chain-tls           start
>  chain-return-error  TRUE
>  I'm curious, tough, why the slave has to use a proxy identity to
>  authenticate on the master, instead of reusing original query
>  credentials. Is there something preventing it, or is just that all
>  examples I found sofar were using it ?

If by "original query credentials" you mean those of the user that first attempted the write operation that got chained, that user's credentials are no longer available. That's why you must use a proxy ID that has the authority to act on the original user's behalf.

Also, there is no guarantee the master can auth that user, if the lave is not just a shadow of the master.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it