Red Hat Directory Server 8.0 Administrator's Guide
ou: People, dc=HostedCompany1,dc=example,dc=com...
In this case, when the Directory Server evaluates the ACI, it performs a logical OR on the
following expanded expressions:
roledn =
"ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,dc=example,dc=com"
roledn =
"ldap:///cn=DomainAdmins,ou=People,dc=HostedCompany1,dc=example,dc=com"
11. Access Control and Replication
ACIs are stored as attributes of entries;therefore, if an entry containing ACIs is part of a
replicated database, the ACIs are replicated like any other attribute.
ACIs are always evaluated on the Directory Server that services the incoming LDAP requests.
This means that when a consumer server receives an update request, it returns a referral to the
supplier server before evaluating whether the request can be serviced on the supplier.
12. Compatibility with Earlier Releases
Some ACI keywords that were used in earlier releases of Directory Server have been
deprecated. However, for reasons of backward compatibility, the following keywords are still
supported:
• userdnattr
• groupdnattr
Therefore, if you have set up a replication agreement between a legacy supplier server and a
version 8.0 consumer, there should not be any problems in the replication of ACIs.
Access Control and Replication
241