Evaluating Access Controls - Netscape DIRECTORY SERVER 6.2 - DEPLOYMENT Deployment Manual

Also, with referrals a client must authenticate, meaning that the servers to which
clients are being referred need to contain the client credentials. With chaining,
client authentication takes place only once. Clients do not need to authenticate
again on the servers to which their requests are chained.

Evaluating Access Controls

Chaining evaluates access controls differently from referrals. With referrals, an
entry for the client must exist on all of the target servers. With chaining, the client
entry does not need to be on all of the target servers.
For example, a client sends a search request to server A. The following diagram
illustrates the operation using referrals:
In the illustration above, the client application performs the following steps:
The client application first binds with Server A.
1.
Server A contains an entry for the client that provides a user name and
2.
password, so returns a bind acceptance message. In order for the referral to
work, the client entry must be present on Server A.
The client application sends the operation request to Server A.
3.
However, Server A does not contain the information requested. Instead, Server
4.
A returns a referral to the client application telling them to contact Server B.
The client application then sends a bind request to Server B. To bind
5.
successfully, Server B must also contain an entry for the client application.
The bind is successful, and the client application can now resubmit its search
6.
operation to Server B.
About Knowledge References
Chapter 5 Designing the Directory Topology 101