Pierangelo Masarati wrote:
Guillaume Rousse wrote:
> Hello.
>
> I successfully setup the chain overlay, so as to push changes from a
> slave to a master, with something as:
> overlay chain
> chain-uri "ldap://ldap1.domain.tld";
> chain-idassert-bind bindmethod="simple"
> binddn="cn=chain,ou=roles,dc=domain,dc=tld"
> credentials="s3cr3t"
> mode="self"
> chain-idassert-authzFrom "*"
> chain-tls start
> chain-return-error TRUE
>
> I'm curious, tough, why the slave has to use a proxy identity to
> authenticate on the master, instead of reusing original query
> credentials. Is there something preventing it, or is just that all
> examples I found sofar were using it ?
If by "original query credentials" you mean those of the user that first
attempted the write operation that got chained, that user's credentials are no
longer available. That's why you must use a proxy ID that has the authority to
act on the original user's behalf.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
