Netscape DIRECTORY SERVER 6.01 - DEPLOYMENT Deployment Manual page 92

About Knowledge References
In a chained system, the entry corresponding to the client application does not
need to be located on the same server as the data the client requests. For example, a
system could be set up as follows:
In this illustration, the following steps are performed:
The client application binds with Server A and Server A tries to confirm that
1.
the user name and password are correct.
Server A does not contain an entry corresponding to the client application.
2.
Instead, it contains a database link to Server B, which contains the actual entry
of the client. Server A sends a bind request to Server B.
Server B sends an acceptance response to Server A.
3.
Server A then processes the client application's request using another database
4.
link. The database link contacts a remote data store located on Server C to
process the search operation.
However, database links do not support the following access controls:
• Controls that must access the content of the user entry are not supported when
the user entry is located on a different server. This includes access controls
based on groups, filters, and roles.
• Controls based on client IP addresses or DNS domains may be denied. This is
because the database link impersonates the client when it contacts remote
servers. If the remote database contains IP-based access controls, it will
evaluate them using the database link's domain rather than the original client
domain.
92 Netscape Directory Server Deployment Guide • January 2002