HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

Additionally, an ACI must be created on the remote server to allow the specified plug-in to

perform its operations on the remote server. The ACI must exist in the suffix assigned to the

database link.

The following table lists component names, the potential side-effects of allowing them to chain

internal operations, and the permissions they need in the ACI on the remote server:

Table 2-3 Components allowed to chain

PermissionsDescriptionComponent name

Read, search, and compareThis plug-in implements access control.

Operations used to retrieve and update ACI

attributes are not chained because it is not safe

to mix local and remote ACI attributes.

However, requests used to retrieve user entries

may be chained by setting the chaining

components attribute,

nsActiveChainingComponents: cn=ACI

Plugin,cn=plugins,cn=config.

ACI plug-in

Read, search, and compareThis component sets server limits depending on

the user bind DN. Resource limits can be applied

on remote users if the resource limitation

component is allowed to chain. To chain

resource limit component operations, add the

chaining component attribute,

nsActiveChainingComponents:

cn=resource

limits,cn=components,cn=config.

Resource limit component

Read, search, and compareThis component is used when the external bind

method is used. It retrieves the user certificate

from the database on the remote server.

Allowing this component to chain means

certificate-based authentication can work with

a database link. To chain this component's

operations, add the chaining component

attribute, nsActiveChainingComponents:

cn=certificate-based

authentication,cn=components,cn=config.

Certificate-based

authentication checking

component

Read, write, search, and compareThis plug-in ensures that updates made to

attributes containing DNs are propagated to all

entries that contain pointers to the attribute. For

example, when an entry that is a member of a

group is deleted, the entry is automatically

removed from the group. Using this plug-in with

chaining helps simplify the management of static

groups when the group members are remote to

the static group definition. To chain this

component's operations, add the chaining

component attribute,

nsActiveChainingComponents:

cn=referential integrity

postoperation,cn=plugins,cn=config.

Referential Integrity plug-in

Read, search, and compareThis plug-in checks that all the values for a

specified attribute are unique (no duplicates). If

this plug-in is chained, it confirms that attribute

values are unique even on attributes changed

through a database link. To chain this

component's operations, add the chaining

component attribute,

nsActiveChainingComponents:

cn=attribute

uniqueness,cn=plugins,cn=config

Attribute Uniqueness plug-in

66 Configuring directory databases