Pierangelo Masarati wrote:
Guillaume Rousse wrote:
> > Hello.
> > I successfully setup the chain overlay, so as to push changes from a
> > slave to a master, with something as:
> > overlay chain
> > chain-uri "ldap://ldap1.domain.tld"
> > chain-idassert-bind bindmethod="simple"
> > binddn="cn=chain,ou=roles,dc=domain,dc=tld"
> > credentials="s3cr3t"
> > mode="self"
> > chain-idassert-authzFrom "*"
> > chain-tls start
> > chain-return-error TRUE
> > I'm curious, tough, why the slave has to use a proxy identity to
> > authenticate on the master, instead of reusing original query
> > credentials. Is there something preventing it, or is just that all
> > examples I found sofar were using it ?
If by "original query credentials" you mean those of the user that first
attempted the write operation that got chained, that user's credentials are no
longer available. That's why you must use a proxy ID that has the authority to
act on the original user's behalf.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/