[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining and proxy

Howard Chu a écrit :
Pierangelo Masarati wrote:
Guillaume Rousse wrote:
>  Hello.
>  I successfully setup the chain overlay, so as to push changes from a
>  slave to a master, with something as:
>  overlay             chain
>  chain-uri           "ldap://ldap1.domain.tld";
>  chain-idassert-bind bindmethod="simple"
>                       binddn="cn=chain,ou=roles,dc=domain,dc=tld"
>                       credentials="s3cr3t"
>                       mode="self"
>  chain-idassert-authzFrom "*"
>  chain-tls           start
>  chain-return-error  TRUE
>  I'm curious, tough, why the slave has to use a proxy identity to
>  authenticate on the master, instead of reusing original query
>  credentials. Is there something preventing it, or is just that all
>  examples I found sofar were using it ?

If by "original query credentials" you mean those of the user that first attempted the write operation that got chained, that user's credentials are no longer available. That's why you must use a proxy ID that has the authority to act on the original user's behalf.
I was also thinking of such kind of issue. Thanks for your explanations.
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62