Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software

121

122

123

124

125

126

127

128

129

130

given that ACI checking is turned on. This ACI is the same as the ACI created on the

destination server to provide access to the

l=Zanzibar,c=africa,ou=people,dc=example,dc=com branch. All users within

c=us,ou=people,dc=example,dc=com may need to have update access to the entries in

l=Zanzibar,c=africa,ou=people,dc=example,dc=com on server three. Create the

following ACI on server two on the c=africa,ou=people,dc=example,dc=com suffix to

allow this:

aci:(targetattr="*")(target="l=Zanzibar,c=africa,ou=people,dc=example,dc=com")

(version 3.0; acl "Client authorization for database links"; allow

(all)

userdn = "ldap:///uid=*,c=us,ou=people,dc=example,dc=com";)

This ACI allows clients that have a UID in c=us,ou=people,dc=example,dc=com on

server one to perform any type of operation on the

l=Zanzibar,c=africa,ou=people,dc=example,dc=com suffix tree on server three. If

there are users on server two under a different suffix that will require additional rights on

server three, it may be necessary to add additional client ACIs on server two.

3.7.7.3. Configuring Server Three

1. Create an administrative user on server three for server two to use for proxy authorization:

dn: cn=server2 proxy admin,cn=config

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

cn: server2 proxy admin

sn: server2 proxy admin

userPassword: secret

description: Entry for use by database links

2. Then add the same local proxy authorization ACI to server three as on server two. Add the

following proxy authorization ACI to the l=Zanzibar,ou=people,dc=example,dc=com entry:

aci: (targetattr = "*")(version 3.0; acl "Proxied authorization

for database links"; allow (proxy) userdn = "ldap:///cn=server2

proxy admin,cn=config";)

This ACI gives the server two proxy admin read-only access to the data contained on the

remote server, server three, within the l=Zanzibar,ou=people,dc=example,dc=com subtree

only.

3. Create a local client ACI on the l=Zanzibar,ou=people,dc=example,dc=com subtree that

corresponds to the original client application. Use the same ACI as the one created for the

Chaining

105