Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual page 116

Creating and Maintaining Database Links
• ACIs must be located with any groups they use. If the groups are dynamic, all
users in the group must be located with the ACI and the group. If the group is
static, it may refer to remote users.
• ACIs must be located with any role definitions they use and with any users
intended to have those roles.
• ACIs that refer to values of a user's entry (for example,
will work if the users is remote.
Though access controls are always evaluated on the remote server, you can also
choose to have them evaluated on both the server containing the database link and
the remote server. This poses several limitations:
• During access control evaluation, contents of user entries are not necessarily
available (for example, if the access control is evaluated on the server
containing the database link and the entry is located on a remote server).
For performance reasons, clients cannot do remote inquiries and evaluate
access controls.
• The database link does not necessarily have access to the entries being
modified by the client application.
When performing a modify operation, the database link does not have access
to the full entry stored on the remote server. If performing a delete operation,
the database link is only aware of the entry's DN. If an access control specifies a
particular attribute, then a delete operation will fail when being conducted
through a database link.
NOTE
116 Netscape Directory Server Administrator's Guide • December 2003
By default, access controls set on the server containing the database
link are not evaluated. To override this default, use the
attribute in the
nsCheckLocalACI
cn=database_link_name,cn=chaining
database,cn=plugins,cn=config
access controls on the server containing the database link is not
recommended unless using cascading chaining.
subject rules)
userattr
entry. However, evaluating