Red Hat Directory Server 8.0 Administrator's Guide
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: server1 proxy admin
sn: server1 proxy admin
userPassword: secret
description: Entry for use by database links
CAUTION
Do not use the Directory Manager or Administrator ID user as the proxy
administrative user on the remote server. This creates a security hole.
2. Configure the database link, DBLink2, on server two, using ldapmodify:
dn: cn=DBLink2,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: l=Zanzibar,c=africa,ou=people,dc=example,dc=com
nsfarmserverurl: ldap://zanz.africa.example.com:389/
nsmultiplexorbinddn: cn=server2 proxy admin,cn=config
nsmultiplexorcredentials: secret
cn: DBLink2
nsCheckLocalACI:on
dn: cn="l=Zanzibar,c=africa,ou=people,dc=example,dc=com",cn=mapping
tree,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: DBLink2
nsslapd-parent-suffix:"c=africa,ou=people,dc=example,dc=com"
cn: l=Zanzibar,c=africa,ou=people,dc=example,dc=com
Since database link DBLink2 is the intermediate database link in the cascading chaining
configuration, set the nsCheckLocalACI attribute to on to allow the server to check whether it
should allow the client and proxy administrative user access to the database link.
3. The database link on server two must be configured to transmit the proxy authorization
control and the loop detection control. To implement the proxy authorization control and the
loop detection control, specify both corresponding OIDs. Add the following information to the
cn=config,cn=chaining database, cn=plugins,cn=config entry on server two:
dn: cn=config,cn=chaining database,cn=plugins,cn=config
changeType: modify
Advanced Feature: Configuring Cascading
103