HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
2.4.6 Database links and access control evaluation
When a user binds to a server containing a database link, the database link sends the user's
identity to the remote server. Access controls are always evaluated on the remote server. Every
LDAP operation evaluated on the remote server uses the original identity of the client application
passed via the proxied authorization control. Operations succeed on the remote server only if the
user has the correct access controls on the subtree contained on the remote server. This requires
adding the usual access controls to the remote server with a few restrictions:
• Not all types of access control can be used.
For example, role-based or filter-based ACIs need access to the user entry. Because the data
are accessed through database links, only the data in the proxy control can be verified.
Consider designing the directory in a way that ensures the user entry is located in the same
database as the user's data.
• All access controls based on the IP address or DNS domain of the client may not work because
the original domain of the client is lost during chaining. The remote server views the client
application as being at the same IP address and in the same DNS domain as the database
link.
2.4 Creating and Maintaining Database Links 71