Red Hat Directory Server 8.0 Administrator's Guide

add: nsTransmittedControl

nsTransmittedControl: 2.16.840.1.113730.3.4.12

nsTransmittedControl: 1.3.6.1.4.1.1466.29539.12

nsTransmittedControl: 2.16.840.1.113730.3.4.12 is the OID for the proxy

authorization control. nsTransmittedControl: 1.3.6.1.4.1.1466.29539.12 is the or the

loop detection control.

Check beforehand whether the loop detection control is already configured, and adapt the

above command accordingly.

4. Configure the ACIs. On server two, ensure that a suffix exists above the

l=Zanzibar,c=africa,ou=people,dc=example,dc=com suffix, so that the following actions

are possible:

• Add the database link suffix

• Add a local proxy authorization ACI to allow server one to connect using the proxy

authorization administrative user created on server two

• Add a local client ACI so the client operation succeeds on server two, and it can be

forwarded to server three. This local ACI is needed because local ACI checking is turned

on for the DBLink2 database link.

Both ACIs will be placed on the database that contains the

c=africa,ou=people,dc=example,dc=com suffix.

NOTE

To create these ACIs, the database corresponding to the

c=africa,ou=people,dc=example,dc=com suffix must already exist to hold the

entry. This database needs to be associated with a suffix above the suffix

specified in the nsslapd-suffix attribute of each database link. That is, the

suffix on the final destination server should be a sub suffix of the suffix specified

on the intermediate server.

a. Add the local proxy authorization ACI to the c=africa,ou=people,dc=example,dc=com

entry:

aci:(targetattr="*")(target="l=Zanzibar,c=africa,ou=people,dc=example,dc=com")

(version 3.0; acl "Proxied authorization for database links"; allow

(proxy)

userdn = "ldap:///cn=server1 proxy admin,cn=config";)

b. Then add the local client ACI that will allow the client operation to succeed on server two,

Chapter 3. Configuring Directory Databases

104