Creating and Maintaining Database Links104 Red Hat Directory Server Administrator’s Guide • May 2005Some components send internal LDAP requests to the server, expecting to accesslocal data only. For such components, you need to control the chaining policy sothat the components can complete their operations successfully. One example isthe certificate verification function. If you chain the LDAP request made by thefunction to check certificates, it implies that you trust the remote server. If theremote server is not trusted, then you have a security problem.By default, all internal operations are not chained. However, you can override thisdefault by specifying components that you want to chain using the Console or thecommand-line. By default, no components are allowed to chain.You must also create an ACI on the remote server to allow the plug-in you specifyto perform its operations on the remote server. You create the ACI in the suffixassigned to the database link.The following table lists component names, the potential side-effects of allowingthem to chain internal operations, and the permissions they need in the ACI youcreate on the remote server:Table 3-2 Components Allowed to ChainComponent Name Description PermissionsACI Plug-in This plug-in implements the access control feature.Operations used to retrieve and update ACI attributes arenot chained because it is not safe to mix local and remoteACI attributes. However, requests used to retrieve userentries may be chained. Specify the following value innsActiveChainingComponents attribute:nsActiveChainingComponents: cn=ACIPlugin,cn=plugins,cn=configRead, search, andcompare4.0 plug-ins This component name represents all Directory Server 4.0plug-ins. The 4.0 plug-ins share the same chaining policy.Specify the following in thensActiveChainingComponents attribute:nsActiveChainingComponents: cn=oldplugin,cn=plugins,cn=configDepends upon the 4.0plug-in you areallowing to chainResource limitcomponentThis component sets server limits depending on the userbind DN. You can apply resource limits on remote users ifthe resource limitation component is allowed to chain. Tochain this component’s operations, specify the following:nsActiveChainingComponents: cn=resourcelimits,cn=components,cn=configRead, search, andcompare
