BECOT Jérôme wrote: > Hello, > > We have a working setup with two mirror master and two slaves: > > * > Syncrepl uses a certificate on each node to fetch data, with an > olcAuthzRegexp rule to map it to a DSA (simpleSecurityObject). > * > Client SSSD servers also use a dedicated certificate to authenticate on > the slaves, with another olcAuthzRegexp to map them to a "per project" DSA. > * > We use different ACL on the main db because some DSA have privileged > access to some branches > > > We want to expose data on another subnets through proxies, and cyber ask to > use OpenLDAP with back_ldap. > > How should we configure them to use client certificate authentication to the > backend slaves ?
back-ldap cannot use the client's certificates on the backend slaves. All you can do is configure back-ldap to use proxy authorization to assert the client's identity on its connections to the backends. back-ldap itself can use its own certificate or any other authentication method to authenticate itself to the backends, and then proxy authorize on behalf of the clients. > > Any thoughts appreciated > Regards > Jerome > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
