Table of Contents
Advertisement
Creating the Proxy Administrative User ACI
You need to create an ACI on the server that contains the intermediate database
link that checks the rights of the first database link before translating the request to
another server. For example, if server two does not check the credentials of server
one, then anyone could bind as anonymous and pass a proxy authorization control
allowing them more administrative privileges than appropriate.
To prevent this security hole, you need to create an ACI on the server which
contains the intermediate database link. To create an ACI, you need to do the
following:
Create a database, if one does not already exist, on the server containing the
1.
intermediate database link. This database will contain the admin user entry
and the ACI. For information about creating a database, see "Creating
Databases," on page 84.
Create an entry that corresponds to the administrative user in the database.
2.
Create an ACI for the administrative user that targets the appropriate suffix.
3.
This ensures the administrator has access only to the suffix of the database link.
Add the following ACI to the administrative user's entry:
aci: (targetattr = "*")(version 3.0; acl "Proxied authorization
for database links"; allow (proxy) userdn = "ldap:///cn=proxy
admin,cn=config";)
This ACI is like the ACI you create on the remote server when configuring
simple chaining.
CAUTION
Carefully examine access controls when enabling chaining to avoid
giving access to restricted areas of your directory. For example, if
you create a default proxy ACI on a branch, the users that connect
via the database link will be able to see all entries below the branch.
There may be cases when you do not want all of the subtrees to be
viewed by a user. To avoid a security hole, you may need to create
an additional ACI to restrict access to the subtree.
Enabling Local ACI Evaluation
To confirm that the proxy administrative ACI is used, you need to enable
evaluation of local ACIs on all intermediate database links involved in chaining. To
do this, add the following attribute to the
database,cn=plugins,cn=config
nsCheckLocalACI: on
Creating and Maintaining Database Links
database_link_name
cn=
entry of each intermediate database link:
Chapter 3
Configuring Directory Databases
,cn=chaining
121
Advertisement
Table of Contents
Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.01 - ADMINISTRATOR
Related Products for Netscape NETSCAPE DIRECTORY SERVER 6.01 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.01 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.2 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.1 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.2 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.0
- Netscape NETSCAPE DIRECTORY SERVER 6.0 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.01 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - GATEWAY CUSTOMIZATION
- Netscape ENTERPRISE SERVER 6.0