[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining and proxy

To: Howard Chu <hyc@symas.com>
Subject: Re: chaining and proxy
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
Date: Thu, 02 Oct 2008 14:55:30 +0200
Cc: Pierangelo Masarati <ando@sys-net.it>, openldap-software@openldap.org
In-reply-to: <48E1EC28.7010203@symas.com>
References: <48E135F4.6060704@inria.fr> <48E1B7B2.3090902@sys-net.it> <48E1EC28.7010203@symas.com>
User-agent: Thunderbird 2.0.0.17 (X11/20080929)

Howard Chu a écrit :

Pierangelo Masarati wrote:
Guillaume Rousse wrote:
>  Hello.
>
>  I successfully setup the chain overlay, so as to push changes from a
>  slave to a master, with something as:
>  overlay             chain
>  chain-uri           "ldap://ldap1.domain.tld";
>  chain-idassert-bind bindmethod="simple"
>                       binddn="cn=chain,ou=roles,dc=domain,dc=tld"
>                       credentials="s3cr3t"
>                       mode="self"
>  chain-idassert-authzFrom "*"
>  chain-tls           start
>  chain-return-error  TRUE
>
>  I'm curious, tough, why the slave has to use a proxy identity to
>  authenticate on the master, instead of reusing original query
>  credentials. Is there something preventing it, or is just that all
>  examples I found sofar were using it ?
If by "original query credentials" you mean those of the user that first attempted the write operation that got chained, that user's credentials are no longer available. That's why you must use a proxy ID that has the authority to act on the original user's behalf.

I was also thinking of such kind of issue. Thanks for your explanations.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

Prev by Date: relay backend doesn't support pagedResult control
Next by Date: Error while importing base ldif
Index(es):
- Chronological
- Thread