Deciding Between Referrals And Chaining; Usage Differences; Evaluating Access Controls - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Chapter 5. Designing the Directory Topology
• Access control.
The database link impersonates the client application, providing the appropriate authorization
identity to the remote server. User impersonation can be disabled on the remote servers when
access control evaluation is not required. For more information on configuring database links, refer
to the Red Hat Directory Server Administrator's Guide.

5.3.3. Deciding Between Referrals and Chaining

Both methods of linking the directory partitions have advantages and disadvantages. The method, or
combination of methods, to use depends upon the specific needs of the directory service.
The major difference between the two knowledge references is the location of the intelligence that
knows how to locate the distributed information. In a chained system, the intelligence is implemented
in the servers. In a system that uses referrals, the intelligence is implemented in the client application.
While chaining reduces client complexity, it does so at the cost of increased server complexity.
Chained servers must work with remote servers and send the results to directory clients.
With referrals, the client must handle locating the referral and collating search results. However,
referrals offer more flexibility for the writers of client applications and allow developers to provide better
feedback to users about the progress of a distributed directory operation.
The following sections describe some of the more specific differences between referrals and chaining
in greater detail.

5.3.3.1. Usage Differences

Some client applications do not support referrals. Chaining allows client applications to communicate
with a single server and still access the data stored on many servers. Sometimes referrals do not work
when a company's network uses proxies. For example, a client application may have permissions to
communicate with only one server inside a firewall. If that application is referred to a different server, it
is not able to contact it successfully.
A client must also be able to authenticate correctly when using referrals, which means that the servers
to which clients are being referred need to contain the client's credentials. With chaining, client
authentication takes place only once. Clients do not need to authenticate again on the servers to
which their requests are chained.

5.3.3.2. Evaluating Access Controls

Chaining evaluates access controls differently from referrals. With referrals, an entry for the client must
exist on all of the target servers. With chaining, the client entry does not need to be on all of the target
servers.
Performing Search Requests Using Referrals
The following diagram illustrates a client request to a server using referrals:
68