HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
and pass a proxy authorization control allowing them more administrative privileges than
appropriate. The proxy ACI prevents this security breach.
a. Create a database, if one does not already exist, on the server containing the intermediate
database link. This database will contain the admin user entry and the ACI. For information
about creating a database, see “Creating databases” (page 38).
b. Create an entry that corresponds to the administrative user in the database.
c. Create an ACI for the administrative user that targets the appropriate suffix. This ensures
the administrator has access only to the suffix of the database link. For example:
aci: (targetattr = "*")(version 3.0; acl "Proxied authorization for data\
base links";
allow (proxy) userdn = "ldap:///cn=proxy admin,cn=config";)
This ACI is like the ACI created on the remote server when configuring simple chaining.
CAUTION: Carefully examine access controls when enabling chaining to avoid giving access
to restricted areas of the directory. For example, if a default proxy ACI is created on a branch,
the users that connect through the database link will be able to see all entries below the branch.
There may be cases when not all the subtrees should be viewed by a user. To avoid a security
hole, create an additional ACI to restrict access to the subtree.
4. Enable local ACI evaluation on all intermediate database links.
To confirm that the proxy administrative ACI is used, enable evaluation of local ACIs on all
intermediate database links involved in chaining. Add the following attribute to the
cn=database_link, cn=chaining database,cn=plugins,cn=config entry of
each intermediate database link:
nsCheckLocalACI: on
Setting this attribute to on in the cn=default instance config,cn=chaining
database,cn=plugins,cn=config entry means that all new database link instances will
have the nsCheckLocalACI attribute set to on in their cn=database_link, cn=chaining
database,cn=plugins,cn=config entry.
5. Create client ACIs on all intermediate database links and the final destination database.
Because local ACI evaluation is enabled, the appropriate client application ACIs must be
created on all intermediate database links, as well as the final destination database. To do
this on the intermediate database links, first create a database that contains a suffix that
represents a root suffix of the final destination suffix.
For example, if a client request made to the c=africa,ou=people,dc=example,dc=com
suffix is chained to a remote server, all intermediate database links need to contain a database
associated with the dc=example,dc=com suffix.
Add any client ACIs to this superior suffix entry. For example:
aci: (targetattr = "*")(version 3.0; acl "Client authentication for data\
base link users";
allow (all) userdn = "ldap:///uid=* ,cn=config";)
This ACI allows client applications that have a uid in the cn=config entry of Server 1 to
perform any type of operation on the data below the ou=people,dc=example,dc=com
suffix on server three.
2.4.8.4 Detecting loops
An LDAP control included with Directory Server prevents loops. When first attempting to chain, the
server sets this control to be the maximum number of hops, or chaining connections, allowed. Each
subsequent server decrements the count. If a server receives a count of 0, it determines that a loop
has been detected and notifies the client application.
2.4 Creating and Maintaining Database Links 81