Usage Differences; Evaluating Access Controls - Netscape DIRECTORY SERVER 6.02 - DEPLOYMENT Deployment Manual

About Knowledge References

Usage Differences

Some client applications do not support referrals. Chaining allows client
applications to communicate with a single server and still access the data stored on
many servers. Sometimes referrals do not work when a company's network uses
proxies. For example, a client application has permissions to speak to only one
server inside a firewall. If they are referred to a different server, they will not be
able to contact it successfully.
Also, with referrals a client must authenticate, meaning that the servers to which
clients are being referred need to contain the client credentials. With chaining,
client authentication takes place only once. Clients do not need to authenticate
again on the servers to which their requests are chained.

Evaluating Access Controls

Chaining evaluates access controls differently from referrals. With referrals, an
entry for the client must exist on all of the target servers. With chaining, the client
entry does not need to be on all of the target servers.
For example, a client sends a search request to server A. The following diagram
illustrates the operation using referrals:
In the illustration above, the client application performs the following steps:
The client application first binds with Server A.
1.
Server A contains an entry for the client that provides a user name and
2.
password, so returns a bind acceptance message. In order for the referral to
work, the client entry must be present on Server A.
The client application sends the operation request to Server A.
3.
90 Netscape Directory Server Deployment Guide • May 2002