Hello all,

We currently use two distinct accounts for chaining and replication purpose. We want to use a passwordless policy and we go for certificates. As we only own a single certificate per slave server, this means that we authenticate as a single user.

We see two way to do things:

• Either we just use one account (bound by olcAuthzRegexp rule) and merge ACLs to allow this account to read the directory for sync and write authentication attributes for chaining

• Or we keep two accounts and use Proxy Auth to impersonate the other one

I personnaly would go for the first one as I don't see any value to use another mechanism given that these are technical accounts that have only one purpose each, except having a distinct login in the logs.

What would you advice ? I may have miss something intersting, any security issue, or maybe there is another way.

Thank you !

Jerome