Red Hat Directory Server 8.0 Administrator's Guide
Server B must contain a user entry corresponding to the nsMultiplexorBindDN, and set the
proxy authentication rights for this user. To set the proxy authorization correctly, set the proxy
ACI as any other ACI.
CAUTION
Carefully examine access controls when enabling chaining to avoid giving
access to restricted areas of the directory. For example, if a default proxy ACI is
created on a branch, the users that connect via the database link will be able to
see all entries below the branch. There may be cases when not all of the
subtrees should be viewed by a user. To avoid a security hole, create an
additional ACI to restrict access to the subtree.
For more information on ACIs, see Chapter 6, Managing Access Control. For more information
about the proxy authentication control, refer to the LDAP C-SDK documentation at
http://www.mozilla.org/directory.
NOTE
When a database link is used by a client application to create or modify entries,
the attributes creatorsName and modifiersName do not reflect the real creator
or modifier of the entries. These attributes contain the name of the administrative
user granted proxied authorization rights on the remote data server.
3.2.2.3. Providing an LDAP URL
On the server containing the database link, identify the remote server that the database link
connects with using an LDAP URL. Unlike the standard LDAP URL format, the URL of the
Chapter 3. Configuring Directory Databases
80