Working with Alternate Authorization Identities - PingDirectory - 7.3

Access control rules in an entry-balanced deployment are configured in the Directory Server backend servers and require access to the entry contents of the user issuing the request. This can introduce a possible issue when clients to the Directory Proxy Server authenticate as users whose entries are among the entry-balanced sets. If the server which is processing a request does not contain the issuing user's entry, then the access control cannot be evaluated.

For example, consider a deployment that has two entry-balancing sets, set-01 and set-02. Set-01 has entries in the range uid=0-10000, while set-02 has entries for uid=10001-20000. The client with uid=5000 binds to the Directory Proxy Server, which sends a BIND request to entry-balancing set-01. Next, the client sends a SEARCH request with filter "(uid=15000)". The Directory Proxy Server determines that uid=15000 lives on entry-balancing set-02. The Directory Proxy Server then determines that the entry for the authenticated user with uid=5000 does not exist in set-02 and that the access control handler would reject the SEARCH request issued by an unknown user.