Creating and Maintaining Database Links130 Netscape Directory Server Administrator’s Guide • May 2002Add the local proxy authorization ACI to thec=africa,ou=people,dc=example,dc=coml entry:aci:(targetattr="*")(target="l=Zanzibar,c=africa,ou=people,dc=example,dc=com")(version 3.0; acl "Proxied authorization fordatabase links"; allow (proxy) userdn = "ldap:///cn=server1 proxyadmin,cn=config";)Then add the local client ACI that will allow the client operation to succeed onserver two given that ACI checking is turned on. This ACI is the same as the ACIyou will create on the destination server to provide access to thel=Zanzibar,c=africa,ou=people,dc=example,dc=com branch. You may decidethat you want all users within c=us,ou=people,dc=example,dc=com to haveupdate access to the entries inl=Zanzibar,c=africa,ou=people,dc=example,dc=com on server three. Thefollowing ACI is the ACI you would need to create on thec=africa,ou=people,dc=example,dc=com suffix on server two to allow this:aci:(targetattr="*")(target="l=Zanzibar,c=africa,ou=people,dc=example,dc=com")(version 3.0; acl "Client authorization fordatabase links"; allow (all) userdn ="ldap:///uid=*,c=us,ou=people,dc=example,dc=com";)This ACI allows clients that have a uid in c=us,ou=people,dc=example,dc=comon server one to perform any type of operation on thel=Zanzibar,c=africa,ou=people,dc=example,dc=com suffix tree on serverthree. Should you have users on server two under a different suffix that willrequire additional rights on server three, you may need to add additional clientACIs on server two.Configuring Server ThreeThe final configuration step in our cascading chaining example is to configureserver three. First, you create an administrative user on server three for server twoto use for proxy authorization:NOTE To create these ACIs it is assumed that the database correspondingto the c=africa,ou=people,dc=example,dc=com suffix alreadyexists to hold the entry. This database needs to be associated with asuffix above the suffix specified in the nsslapd-suffix attribute ofeach database link. That is, the suffix on the final destination servershould be a sub suffix of the suffix specified on the intermediateserver.
