Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
111112113114115116117118119120
5. Click Save.
3.7.4. Configuring Cascading Chaining from the Command-Line
To configure a cascade of database links through the command-line, do the following:
1. Point one database link to the URL of the server containing the intermediate database link.
To create a cascading chain, the nsFarmServerURL attribute of one database link must
contain the URL of the server containing another database link. Suppose the database link
on the server called example1.com points to a database link on the server called
africa.example.com. For example, the cn=database_link, cn=chaining database,
cn=plugins,cn=config entry of the database link on server one would contain the following:
nsFarmServerURL: ldap://africa.example.com:389/
2. Configure the intermediate database link or links (in the example, server two) to transmit the
Proxy Authorization Control.
By default, a database link does not transmit the Proxy Authorization Control. However, when
one database link contacts another, this control is used to transmit information needed by the
final destination server. The intermediate database link needs to transmit this control. To
configure the database link to transmit the proxy authorization control, add the following to
the cn=config,cn=chaining database,cn=plugins,cn=config entry of the intermediate
database link:
nsTransmittedControls: 2.16.840.1.113730.3.4.12
The OID value represents the Proxy Authorization Control. For more information about
chaining LDAP controls, see Section 3.1.2, “Chaining LDAP Controls”.
3. Create a proxy administrative user ACI on all intermediate database links.
The ACI must exist on the server that contains the intermediate database link that checks the
rights of the first database link before translating the request to another server. For example,
if server two does not check the credentials of server one, then anyone could bind as
anonymous and pass a proxy authorization control allowing them more administrative
privileges than appropriate. The proxy ACI prevents this security breach.
a. Create a database, if one does not already exist, on the server containing the intermediate
database link. This database will contain the admin user entry and the ACI. For
information about creating a database, see Section 2.1, “Creating Databases”.
b. Create an entry that corresponds to the administrative user in the database.
c. Create an ACI for the administrative user that targets the appropriate suffix. This ensures
Chaining
97