Chapter 3. Configuring Directory Databases
82
nsCheckLocalACI: on
Setting this attribute to
on
in the
cn=default instance config,cn=chaining
database,cn=plugins,cn=config
entry means that all new database link instances will
have the
nsCheckLocalACI
attribute set to
on
in their
cn=
database_link,
cn=chaining
database,cn=plugins,cn=config
entry.
5. Create client ACIs on all intermediate database links and the final destination database.
Because local ACI evaluation is enabled, the appropriate client application ACIs must be created
on all intermediate database links, as well as the final destination database. To do this on the
intermediate database links, first create a database that contains a suffix that represents a root
suffix of the final destination suffix.
For example, if a client request made to the
c=africa,ou=people,dc=example,dc=com
suffix is chained to a remote server, all intermediate database links need to contain a database
associated with the
dc=example,dc=com
suffix.
Add any client ACIs to this superior suffix entry. For example:
aci: (targetattr = "*")(version 3.0; acl "Client authentication for database link users";
allow (all) userdn = "ldap:///uid=* ,cn=config";)
This ACI allows client applications that have a
uid
in the
cn=config
entry of Server 1 to perform
any type of operation on the data below the
ou=people,dc=example,dc=com
suffix on server
three.
3.3.7.5. Detecting Loops
An LDAP control included with Directory Server prevents loops. When first attempting to chain, the
server sets this control to be the maximum number of hops, or chaining connections, allowed. Each
subsequent server decrements the count. If a server receives a count of
0
, it determines that a loop
has been detected and notifies the client application.
The number of hops allowed is defined using the
nsHopLimit
attribute. If not specified, the default
value is
10
.
To use the control, add the following OID to the
nsTransmittedControl
attribute in the
cn=config,cn=chaining database,cn=plugins,cn=config
entry:
nsTransmittedControl: 1.3.6.1.4.1.1466.29539.12
If the control is not present in the configuration file of each database link, loop detection will not be
implemented.
3.3.7.6. Summary of Cascading Chaining Configuration Attributes
The following table describes the attributes used to configure intermediate database links in a
cascading chain:
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...