Access control rules in an entry-balanced deployment are configured in the Directory Server backend servers and require access to the entry contents of the user issuing the request. This can introduce a possible issue when clients to the Directory Proxy Server authenticate as users whose entries are among the entry-balanced sets. If the server which is processing a request does not contain the issuing user's entry, then the access control cannot be evaluated.
For example, consider a deployment that has two entry-balancing sets, set-01 and set-02. Set-01
has entries in the range
uid=0-10000, while set-02 has entries for
uid=10001-20000. The client with
uid=5000 binds to the
Directory Proxy Server, which sends a BIND request to entry-balancing
set-01. Next, the client sends a SEARCH request with filter
Directory Proxy Server determines that
uid=15000 lives on
entry-balancing set-02. The Directory Proxy Server then determines that the
entry for the authenticated user with
uid=5000 does not exist in set-02 and that
the access control handler would reject the SEARCH request issued by an unknown user.