Access control rules in an entry-balanced deployment are configured in the Directory Server backend servers and require access to the entry contents of the user issuing the request. This can introduce a possible issue when clients to the Directory Proxy Server authenticate as users whose entries are among the entry-balanced sets. If the server which is processing a request does not contain the issuing user's entry, then the access control cannot be evaluated.
For example, consider a deployment that has two entry-balancing sets, set-01 and set-02. Set-01
has entries in the range uid=0-10000
, while set-02 has entries for
uid=10001-20000
. The client with uid=5000
binds to the
Directory Proxy Server, which sends a BIND request to entry-balancing
set-01. Next, the client sends a SEARCH request with filter "(uid=15000)"
. The
Directory Proxy Server determines that uid=15000
lives on
entry-balancing set-02. The Directory Proxy Server then determines that the
entry for the authenticated user with uid=5000
does not exist in set-02 and that
the access control handler would reject the SEARCH request issued by an unknown user.