Access Control And Replication; Compatibility With Earlier Releases - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Access Control and Replication

The Directory Server then evaluates the ACI according to the normal ACI evaluation algorithm.
When an attribute is multi-valued, each value is used to expand the macro, and the first one that
provides a successful match is used. For example:
dn: cn=Jane Doe,ou=People,dc=HostedCompany1,dc=example,dc=com
cn: Jane Doe
sn: Doe
ou: Engineering, dc=HostedCompany1,dc=example,dc=com
ou: People, dc=HostedCompany1,dc=example,dc=com...
In this case, when the Directory Server evaluates the ACI, it performs a logical OR on the following
expanded expressions:
roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,dc=example,dc=com"
roledn = "ldap:///cn=DomainAdmins,ou=People,dc=HostedCompany1,dc=example,dc=com"
6.11. Access Control and Replication
ACIs are stored as attributes of entries;therefore, if an entry containing ACIs is part of a replicated
database, the ACIs are replicated like any other attribute.
ACIs are always evaluated on the Directory Server that services the incoming LDAP requests. This
means that when a consumer server receives an update request, it returns a referral to the supplier
server before evaluating whether the request can be serviced on the supplier.

6.12. Compatibility with Earlier Releases

Some ACI keywords that were used in earlier releases of Directory Server have been deprecated.
However, for reasons of backward compatibility, the following keywords are still supported:
• userdnattr
• groupdnattr
Therefore, if you have set up a replication agreement between a legacy supplier server and a version
8.0 consumer, there should not be any problems in the replication of ACIs.
205