HP-UX Directory Server 8.1 administrator guide

aci:(targetattr="*")(target="l=Zanzibar,c=africa,ou=people,dc=example,dc=com")
(version 3.0; acl "Client authorization for database links"; allow (all)
userdn = "ldap:///uid=*,c=us,ou=people,dc=example,dc=com";)
This ACI allows clients that have a UID in c=us,ou=people,dc=example,dc=com
on Server 1 to perform any type of operation on the
l=Zanzibar,c=africa,ou=people,dc=example,dc=com suffix tree on server
three. If there are users on Server 2 under a different suffix that will require additional
rights on server three, it may be necessary to add additional client ACIs on Server 2.
2.4.8.6.3 Configuring Server Three
1. Create an administrative user on server three for Server 2 to use for proxy authorization:
dn: cn=server2 proxy admin,cn=config
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: server2 proxy admin
sn: server2 proxy admin
userPassword: secret
description: Entry for use by database links
2. Then add the same local proxy authorization ACI to server three as on Server 2. Add the
following proxy authorization ACI to the l=Zanzibar,ou=people,dc=example,dc=com
entry:
aci: (targetattr = "*")(version 3.0; acl "Proxied authorization
for database links"; allow (proxy) userdn = "ldap:///cn=server2
proxy admin,cn=config";)
This ACI gives the Server 2 proxy admin read-only access to the data contained on the remote
server, server three, within the l=Zanzibar,ou=people,dc=example,dc=com subtree
only.
3. Create a local client ACI on the l=Zanzibar,ou=people,dc=example,dc=com subtree
that corresponds to the original client application. Use the same ACI as the one created for
the client on Server 2:
aci: (targetattr
="*")(target="l=Zanzibar,c=africa,ou=people,dc=example,dc=com")
(version 3.0; acl "Client authentication for database link users";
allow (all)
userdn = "ldap:///uid=*,c=us,ou=people,dc=example,dc=com";)
The cascading chaining configuration is now set up. This cascading configuration allows a user
to bind to Server 1 and modify information in the
l=Zanzibar,c=africa,ou=people,dc=example,dc=com branch on server three. Depending
on your security needs, it may be necessary to provide more detailed access control.
2.5 Using referrals
Referrals tell client applications which server to contact for a specific piece of information. This
redirection occurs when a client application requests a directory entry that does not exist on the
local server or when a database has been taken offline for maintenance. This section contains the
following information about referrals:
“Starting the server in referral mode”
“Setting a default referral using the console”
“Creating smart referrals”
“Creating suffix referrals”
For conceptual information on how to use referrals in the directory, see the HP-UX Directory
Server deployment guide.
2.5 Using referrals 89