Red Hat Directory Server 8.0 Administrator's Guide
By default, all internal operations are not chained and no components are allowed to chain,
although this can be overridden.
Additionally, an ACI must be created on the remote server to allow the specified plug-in to
perform its operations on the remote server. The ACI must exist in the suffix assigned to the
database link.
The following table lists component names, the potential side-effects of allowing them to chain
internal operations, and the permissions they need in the ACI on the remote server:
Component Name Description Permissions
ACI plug-in This plug-in implements
access control. Operations
used to retrieve and update
ACI attributes are not chained
because it is not safe to mix
local and remote ACI
attributes. However, requests
used to retrieve user entries
may be chained by setting the
chaining components
attribute,
nsActiveChainingComponents:
cn=ACI
Plugin,cn=plugins,cn=config.
Read, search, and compare
Resource limit component This component sets server
limits depending on the user
bind DN. Resource limits can
be applied on remote users if
the resource limitation
component is allowed to
chain. To chain resource limit
component operations, add
the chaining component
attribute,
nsActiveChainingComponents:
cn=resource
limits,cn=components,cn=config.
Read, search, and compare
Certificate-based
authentication checking
component
This component is used when
the SASL-external bind
method is used. It retrieves
the user certificate from the
database on the remote
server. Allowing this
component to chain means
certificate-based
Read, search, and compare
Chapter 3. Configuring Directory Databases
70