Advanced Feature: Configuring Cascading Chaining
81
2. Configure the intermediate database link or links (in the example, Server 2) to transmit the Proxy
Authorization Control.
By default, a database link does not transmit the Proxy Authorization Control. However, when
one database link contacts another, this control is used to transmit information needed by
the final destination server. The intermediate database link needs to transmit this control. To
configure the database link to transmit the proxy authorization control, add the following to the
cn=config,cn=chaining database,cn=plugins,cn=config
entry of the intermediate
database link:
nsTransmittedControls: 2.16.840.1.113730.3.4.12
The OID value represents the Proxy Authorization Control. For more information about chaining
LDAP controls, see
Section 3.3.1.2, “Chaining LDAP Controls”
.
3. Create a proxy administrative user ACI on all intermediate database links.
The ACI must exist on the server that contains the intermediate database link that checks the
rights of the first database link before translating the request to another server. For example, if
Server 2 does not check the credentials of Server 1, then anyone could bind as
anonymous
and
pass a proxy authorization control allowing them more administrative privileges than appropriate.
The proxy ACI prevents this security breach.
a. Create a database, if one does not already exist, on the server containing the intermediate
database link. This database will contain the admin user entry and the ACI. For information
about creating a database, see
Section 3.2.1, “Creating Databases”
.
b. Create an entry that corresponds to the administrative user in the database.
c. Create an ACI for the administrative user that targets the appropriate suffix. This ensures the
administrator has access only to the suffix of the database link. For example:
aci: (targetattr = "*")(version 3.0; acl "Proxied authorization for database links";
allow (proxy) userdn = "ldap:///cn=proxy admin,cn=config";)
This ACI is like the ACI created on the remote server when configuring simple chaining.
WARNING
Carefully examine access controls when enabling chaining to avoid giving access to
restricted areas of the directory. For example, if a default proxy ACI is created on a
branch, the users that connect through the database link will be able to see all entries
below the branch. There may be cases when not all of the subtrees should be viewed
by a user. To avoid a security hole, create an additional ACI to restrict access to the
subtree.
4. Enable local ACI evaluation on all intermediate database links.
To confirm that the proxy administrative ACI is used, enable evaluation of local ACIs on
all intermediate database links involved in chaining. Add the following attribute to the
cn=
database_link,
cn=chaining database,cn=plugins,cn=config
entry of each
intermediate database link:
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...