HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
The second entry creates a new suffix, allowing the server to route requests made to the new
database link. The cn attribute contains the same suffix specified in the nsslapd-suffix
attribute of the database link. The nsslapd-backend attribute contains the name of the
database link. The nsslapd-parent-suffix attribute specifies the parent of this new
suffix, "ou=people,dc=example,dc=com".
3. Create an administrative user on Server B, as follows:
dn: cn=proxy admin,cn=config
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: proxy admin
sn: proxy admin
userPassword: secret
description: Entry for use by database links
CAUTION:
Do not use the Directory Manager user as the proxy administrative user on the remote server.
This creates a security hole.
4. Add the following proxy authorization ACI to the
l=Zanzibar,ou=people,dc=example,dc=com entry on Server B:
aci: (targetattr = "*")(version 3.0; acl "Proxied authorization
for database links"; allow (proxy) userdn = "ldap:///cn=proxy
admin,cn=config";)
This ACI gives the proxy admin user read-only access to the data contained on the remote
server within the l=Zanzibar,ou=people,dc=example,dc=com subtree only.
NOTE:
When a user binds to a database link, the user's identity is sent to the remote server. Access
controls are always evaluated on the remote server. For the user to modify or write data
successfully to the remote server, set up the correct access controls on the remote server. For
more information about how access controls are evaluated in the context of chained operations,
see “Database links and access control evaluation” (page 71).
2.4.2 Configuring the chaining policy
These procedures describe configuring how Directory Server chains requests made by client
applications to Directory Servers that contain database links. This chaining policy applies to all
database links created on Directory Server.
2.4.2.1 Chaining component operations
A component is any functional unit in the server that uses internal operations. For example, plug-ins
are considered to be components, as are functions in the front-end. However, a plug-in may actually
be comprised of multiple components (for example, the ACI plug-in).
Some components send internal LDAP requests to the server, expecting to access local data only.
For such components, control the chaining policy so that the components can complete their
operations successfully. One example is the certificate verification function. Chaining the LDAP
request made by the function to check certificates implies that the remote server is trusted. If the
remote server is not trusted, then there is a security problem.
By default, all internal operations are not chained and no components are allowed to chain,
although this can be overridden.
Additionally, an ACI must be created on the remote server to allow the specified plug-in to perform
its operations on the remote server. The ACI must exist in the suffix assigned to the database link.
2.4 Creating and Maintaining Database Links 63