Pierangelo Masarati wrote:
Guillaume Rousse wrote:
Hello.
I successfully setup the chain overlay, so as to push changes from a slave to a master, with something as: overlay chain chain-uri "ldap://ldap1.domain.tld" chain-idassert-bind bindmethod="simple" binddn="cn=chain,ou=roles,dc=domain,dc=tld" credentials="s3cr3t" mode="self" chain-idassert-authzFrom "*" chain-tls start chain-return-error TRUE
I'm curious, tough, why the slave has to use a proxy identity to authenticate on the master, instead of reusing original query credentials. Is there something preventing it, or is just that all examples I found sofar were using it ?
If by "original query credentials" you mean those of the user that first attempted the write operation that got chained, that user's credentials are no longer available. That's why you must use a proxy ID that has the authority to act on the original user's behalf.