Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
111112113114115116117118119120
the administrator has access only to the suffix of the database link. For example:
aci: (targetattr = "*")(version 3.0; acl "Proxied authorization for database
links";
allow (proxy) userdn = "ldap:///cn=proxy admin,cn=config";)
This ACI is like the ACI created on the remote server when configuring simple chaining.
CAUTION
Carefully examine access controls when enabling chaining to avoid giving
access to restricted areas of the directory. For example, if a default proxy ACI is
created on a branch, the users that connect through the database link will be
able to see all entries below the branch. There may be cases when not all of the
subtrees should be viewed by a user. To avoid a security hole, create an
additional ACI to restrict access to the subtree.
4. Enable local ACI evaluation on all intermediate database links.
To confirm that the proxy administrative ACI is used, enable evaluation of local ACIs on all
intermediate database links involved in chaining. Add the following attribute to the
cn=database_link, cn=chaining database,cn=plugins,cn=config entry of each
intermediate database link:
nsCheckLocalACI: on
Setting this attribute to on in the cn=default instance config,cn=chaining
database,cn=plugins,cn=config entry means that all new database link instances will
have the nsCheckLocalACI attribute set to on in their cn=database_link, cn=chaining
database,cn=plugins,cn=config entry.
5. Create client ACIs on all intermediate database links and the final destination database.
Because local ACI evaluation is enabled, the appropriate client application ACIs must be
created on all intermediate database links, as well as the final destination database. To do
this on the intermediate database links, first create a database that contains a suffix that
represents a root suffix of the final destination suffix.
For example, if a client request made to the c=africa,ou=people,dc=example,dc=com
suffix is chained to a remote server, all intermediate database links need to contain a
database associated with the dc=example,dc=com suffix.
Add any client ACIs to this superior suffix entry. For example:
Chapter 3. Configuring Directory Databases
98