Hello all,
We currently use two distinct accounts for chaining and replication purpose. We want to use a passwordless policy and we go for certificates. As we only own a single certificate per slave server, this means that we authenticate as a single user.
We see two way to do things:
* Either we just use one account (bound by olcAuthzRegexp rule) and merge ACLs to allow this account to read the directory for sync and write authentication attributes for chaining * Or we keep two accounts and use Proxy Auth to impersonate the other one
I personnaly would go for the first one as I don't see any value to use another mechanism given that these are technical accounts that have only one purpose each, except having a distinct login in the logs.
What would you advice ? I may have miss something intersting, any security issue, or maybe there is another way.
Thank you ! Jerome