ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.

Hi!

Persoanlly I feel: „user certificate” != “server certificate”. Does that answer your question?

Regards,

Ulrich

From: BECOT Jérôme <jbecot@itsgroup.com>
Sent: Tuesday, November 19, 2024 11:12 AM
To: openldap-technical <openldap-technical@openldap.org>
Subject: [EXT] Technical account impersonation or not

Hello all,

We currently use two distinct accounts for chaining and replication purpose. We want to use a passwordless policy and we go for certificates. As we only own a single certificate per slave server, this means that we authenticate as a single user.

We see two way to do things:

Either we just use one account (bound by olcAuthzRegexp rule) and merge ACLs to allow this account to read the directory for sync and write authentication attributes for chaining

Or we keep two accounts and use Proxy Auth to impersonate the other one

I personnaly would go for the first one as I don't see any value to use another mechanism given that these are technical accounts that have only one purpose each, except having a distinct login in the logs.

What would you advice ? I may have miss something intersting, any security issue, or maybe there is another way.

Thank you !

Jerome