Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
101102103104105106107108109110
server only if the user has the correct access controls on the subtree contained on the remote
server. This requires adding the usual access controls to the remote server with a few
restrictions:
Not all types of access control can be used.
For example, role-based or filter-based ACIs need access to the user entry. Because the data
are accessed through database links, only the data in the proxy control can be verified.
Consider designing the directory in a way that ensures the user entry is located in the same
database as the user's data.
All access controls based on the IP address or DNS domain of the client may not work since
the original domain of the client is lost during chaining. The remote server views the client
application as being at the same IP address and in the same DNS domain as the database
link.
The following restrictions apply to the ACIs used with database links:
ACIs must be located with any groups they use. If the groups are dynamic, all users in the
group must be located with the ACI and the group. If the group is static, it may refer to remote
users.
ACIs must be located with any role definitions they use and with any users intended to have
those roles.
ACIs that refer to values of a user's entry (for example, userattr subject rules) will work if
the user is remote.
Though access controls are always evaluated on the remote server, they can also be evaluated
on both the server containing the database link and the remote server. This poses several
limitations:
During access control evaluation, contents of user entries are not necessarily available (for
example, if the access control is evaluated on the server containing the database link and the
entry is located on a remote server).
For performance reasons, clients cannot do remote inquiries and evaluate access controls.
The database link does not necessarily have access to the entries being modified by the
client application.
When performing a modify operation, the database link does not have access to the full entry
stored on the remote server. If performing a delete operation, the database link is only aware
of the entry's DN. If an access control specifies a particular attribute, then a delete operation
will fail when being conducted through a database link.
Chapter 3. Configuring Directory Databases
88