Hello all,
We currently use two distinct accounts for chaining and replication purpose. We want to use a passwordless policy and we go for certificates. As we only own a single certificate per slave server, this means that we authenticate as a single user.
We see two way to do things:
* Either we just use one account (bound by olcAuthzRegexp rule) and merge ACLs to allow this account to read the directory for sync and write authentication attributes for chaining * Or we keep two accounts and use Proxy Auth to impersonate the other one
I personnaly would go for the first one as I don't see any value to use another mechanism given that these are technical accounts that have only one purpose each, except having a distinct login in the logs.
What would you advice ? I may have miss something intersting, any security issue, or maybe there is another way.
Thank you ! Jerome
Hi!
Persoanlly I feel: "user certificate" != "server certificate". Does that answer your question?
Regards, Ulrich
From: BECOT Jérôme jbecot@itsgroup.com Sent: Tuesday, November 19, 2024 11:12 AM To: openldap-technical openldap-technical@openldap.org Subject: [EXT] Technical account impersonation or not
Hello all,
We currently use two distinct accounts for chaining and replication purpose. We want to use a passwordless policy and we go for certificates. As we only own a single certificate per slave server, this means that we authenticate as a single user.
We see two way to do things:
* Either we just use one account (bound by olcAuthzRegexp rule) and merge ACLs to allow this account to read the directory for sync and write authentication attributes for chaining
* Or we keep two accounts and use Proxy Auth to impersonate the other one I personnaly would go for the first one as I don't see any value to use another mechanism given that these are technical accounts that have only one purpose each, except having a distinct login in the logs.
What would you advice ? I may have miss something intersting, any security issue, or maybe there is another way.
Thank you ! Jerome
We can only get server certificates here.. ________________________________ De : Windl, Ulrich u.windl@ukr.de Envoyé : mardi 19 novembre 2024 13:32 À : BECOT Jérôme jbecot@itsgroup.com; openldap-technical openldap-technical@openldap.org Objet : RE: Technical account impersonation or not
ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.
Hi!
Persoanlly I feel: „user certificate” != “server certificate”. Does that answer your question?
Regards,
Ulrich
From: BECOT Jérôme jbecot@itsgroup.com Sent: Tuesday, November 19, 2024 11:12 AM To: openldap-technical openldap-technical@openldap.org Subject: [EXT] Technical account impersonation or not
Hello all,
We currently use two distinct accounts for chaining and replication purpose. We want to use a passwordless policy and we go for certificates. As we only own a single certificate per slave server, this means that we authenticate as a single user.
We see two way to do things:
* Either we just use one account (bound by olcAuthzRegexp rule) and merge ACLs to allow this account to read the directory for sync and write authentication attributes for chaining
* Or we keep two accounts and use Proxy Auth to impersonate the other one
I personnaly would go for the first one as I don't see any value to use another mechanism given that these are technical accounts that have only one purpose each, except having a distinct login in the logs.
What would you advice ? I may have miss something intersting, any security issue, or maybe there is another way.
Thank you !
Jerome
openldap-technical@openldap.org
-
BECOT Jérôme -
Windl, Ulrich