Red Hat Directory Server 8.0 Administrator's Guide

nsslapd-backend: DBLink1

nsslapd-parent-suffix: ou=people,dc=example,dc=com

cn: l=Zanzibar,ou=people,dc=example,dc=com

In the first entry, the nsslapd-suffix attribute contains the suffix on server B to which to

chain from server A. The nsFarmServerURL attribute contains the LDAP URL of server B.

The second entry creates a new suffix, allowing the server to route requests made to the new

database link. The cn attribute contains the same suffix specified in the nsslapd-suffix

attribute of the database link. The nsslapd-backend attribute contains the name of the

database link. The nsslapd-parent-suffix attribute specifies the parent of this new suffix,

ou=people,dc=example,dc=com.

3. Create an administrative user on server B, as follows:

dn: cn=proxy admin,cn=config

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

cn: proxy admin

sn: proxy admin

userPassword: secret

description: Entry for use by database links

CAUTION

Do not use the Directory Manager user as the proxy administrative user on the

remote server. This creates a security hole.

4. Add the following proxy authorization ACI to the

l=Zanzibar,ou=people,dc=example,dc=com entry on server B:

aci: (targetattr = "*")(version 3.0; acl "Proxied authorization

for database links"; allow (proxy) userdn = "ldap:///cn=proxy

admin,cn=config";)

This ACI gives the proxy admin user read-only access to the data contained on the remote

server within the l=Zanzibar,ou=people,dc=example,dc=com subtree only.

NOTE

When a user binds to a database link, the user's identity is sent to the remote

Creating a New Database Link