HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
nsslapd-parent-suffix: "c=africa,ou=people,dc=example,dc=com"
cn: l=Zanzibar,c=africa,ou=people,dc=example,dc=com
Because database link DBLink2 is the intermediate database link in the cascading chaining
configuration, set the nsCheckLocalACI attribute to on to allow the server to check whether
it should allow the client and proxy administrative user access to the database link.
3. The database link on Server 2 must be configured to transmit the proxy authorization control
and the loop detection control. To implement the proxy authorization control and the loop
detection control, specify both corresponding OIDs. Add the following information to the
cn=config,cn=chaining database, cn=plugins,cn=config entry on Server 2:
dn: cn=config,cn=chaining database,cn=plugins,cn=config
changeType: modify
add: nsTransmittedControl
nsTransmittedControl: 2.16.840.1.113730.3.4.12
nsTransmittedControl: 1.3.6.1.4.1.1466.29539.12
nsTransmittedControl: 2.16.840.1.113730.3.4.12 is the OID for the proxy
authorization control. nsTransmittedControl: 1.3.6.1.4.1.1466.29539.12 is the
or the loop detection control.
Check beforehand whether the loop detection control is already configured, and adapt the
above command accordingly.
4. Configure the ACIs. On Server 2, ensure that a suffix exists above the
l=Zanzibar,c=africa,ou=people,dc=example,dc=com suffix, so that the following
actions are possible:
• Add the database link suffix
• Add a local proxy authorization ACI to allow Server 1 to connect using the proxy
authorization administrative user created on Server 2
• Add a local client ACI so the client operation succeeds on Server 2, and it can be
forwarded to server three. This local ACI is needed because local ACI checking is turned
on for the DBLink2 database link.
Both ACIs will be placed on the database that contains the
c=africa,ou=people,dc=example,dc=com suffix.
NOTE:
To create these ACIs, the database corresponding to the
c=africa,ou=people,dc=example,dc=com suffix must already exist to hold the entry.
This database needs to be associated with a suffix above the suffix specified in the
nsslapd-suffix attribute of each database link. That is, the suffix on the final destination
server should be a sub suffix of the suffix specified on the intermediate server.
a. Add the local proxy authorization ACI to the
c=africa,ou=people,dc=example,dc=com entry:
aci:(targetattr="*")(target="l=Zanzibar,c=africa,ou=people,dc=example,dc=com")
(version 3.0; acl "Proxied authorization for database links"; allow (proxy)
userdn = "ldap:///cn=server1 proxy admin,cn=config";)
b. Then add the local client ACI that will allow the client operation to succeed on Server 2,
given that ACI checking is turned on. This ACI is the same as the ACI created on the
destination server to provide access to the
l=Zanzibar,c=africa,ou=people,dc=example,dc=com branch. All users within
c=us,ou=people,dc=example,dc=com may need to have update access to the
entries in l=Zanzibar,c=africa,ou=people,dc=example,dc=com on server
three. Create the following ACI on Server 2 on the
c=africa,ou=people,dc=example,dc=com suffix to allow this:
2.4 Creating and Maintaining Database Links 85