HP-UX Directory Server 8.1 deployment guide

5.3.1.4 Tips for designing smart referrals

Even though smart referrals are easy to implement, consider the following points before using

them:

• Keep the design simple.

Deploying the directory service using a complex web of referrals makes administration

difficult. Overusing smart referrals can also lead to circular referral patterns. For example,

a referral points to an LDAP URL, which in turn points to another LDAP URL, and so on

until a referral somewhere in the chain points back to the original server. This is illustrated

below:

Figure 5-10 A circular referral pattern

• Redirect at major branchpoints.

Limit referral usage to handle redirection at the suffix level of the directory tree. Smart

referrals redirect lookup requests for leaf (non-branch) entries to different servers and DNs.

As a result, it is tempting to use smart referrals as an aliasing mechanism, leading to a

complex and difficult method to secure directory structure. Limiting referrals to the suffix

or major branch points of the directory tree limits the number of referrals that have to be

managed, subsequently reducing the directory's administrative overhead.

• Consider the security implications.

Access control does not cross referral boundaries. Even if the server where the request

originated allows access to an entry, when a smart referral sends a client request to another

server, the client application may not be allowed access.

In addition, the client's credentials need to be available on the server to which the client is

referred for client authentication to occur.

66 Designing the directory topology