Hi!
Persoanlly I feel: "user certificate" != "server certificate". Does that answer your question?
Regards, Ulrich
From: BECOT Jérôme jbecot@itsgroup.com Sent: Tuesday, November 19, 2024 11:12 AM To: openldap-technical openldap-technical@openldap.org Subject: [EXT] Technical account impersonation or not
Hello all,
We currently use two distinct accounts for chaining and replication purpose. We want to use a passwordless policy and we go for certificates. As we only own a single certificate per slave server, this means that we authenticate as a single user.
We see two way to do things:
* Either we just use one account (bound by olcAuthzRegexp rule) and merge ACLs to allow this account to read the directory for sync and write authentication attributes for chaining
* Or we keep two accounts and use Proxy Auth to impersonate the other one I personnaly would go for the first one as I don't see any value to use another mechanism given that these are technical accounts that have only one purpose each, except having a distinct login in the logs.
What would you advice ? I may have miss something intersting, any security issue, or maybe there is another way.
Thank you ! Jerome