Access control rules in an entry-balanced deployment are configured in the Directory Server backend servers and require access to the entry contents of the user issuing the request. This can introduce a possible issue when clients to the Directory Proxy Server authenticate as users whose entries are among the entry-balanced sets. If the server which is processing a request does not contain the issuing user's entry, then the access control cannot be evaluated.
For example, consider a deployment that has two entry-balancing sets, set-01 and set-02. Set-01
has entries in the range uid=0-10000
, while set-02 has entries for
uid=10001-20000
. The client with uid=5000
binds to the
Directory Proxy Server, which sends a BIND request to entry-balancing
set-01. Next, the client sends a SEARCH request with filter "(uid=15000)"
. The
Directory Proxy Server determines that uid=15000
lives on
entry-balancing set-02. The Directory Proxy Server then determines that the
entry for the authenticated user with uid=5000
does not exist in set-02 and that
the access control handler would reject the SEARCH request issued by an unknown user.
One solution to this problem is to make use of an alternate authorization identity for the user, which references an entry that exists in all Directory Servers in all backend sets and has an equivalent set of access control rights as the authenticated user. The alternate authorization identity is used when the Directory Proxy Server observes that the Directory Server processing a request does not contain the entry of the user issuing the request.
The following sections cover the procedures to configure the alternate authorization identities for the Directory Proxy Server.