Access control rules in an entry-balanced deployment are configured in the Directory Server backend servers and require access to the entry contents of the user issuing the request.

This can introduce a potential issue when clients to the Directory Proxy Server authenticate as users whose entries are among the entry-balanced sets. If the server processing a request doesn't contain the issuing user's entry, the access control can't be evaluated. One solution to this problem is to make use of an alternate authorization identity for the user, which references an entry that exists in all Directory Server's in all backend sets and has an equivalent set of access control rights as the authenticated user.

For the following example, assume a deployment has two entry-balancing sets: set-01 and set-02. Set-01 has entries in the uid=0-10000 range, while set-02 has entries for uid=10001-20000.

Entry-Balancing Issue with Clients Not Present in the Underlying Data Set

An illustrated workflow of an entry-balancing issue with clients not present in the underlying data set. The processing steps section below describes the workflow in detail. The client with uid=5000 is represented by a person at a desktop. The flow moves down from the client sending a bind request to the proxy server 01 which is represented by a box with the global index box sitting beside it. The the flow moves from the Proxy Server 01 in two directions: it sends a search request represented by an orange line with an red x to the entry balancing set 02 represented by a box with an orange outline and it sends a BIND request represented by a green line to entry balancing set 01 represented by a box with a green outline. The entry balancing set 01 contains the base distinguished name, entries in the uid=0-10000 range, acces control instructions, and an entry balancing point. The flow within is described in the processing steps. The entry balancing set 02 contains contains the base distinguished name, entries for uid=10001-20000, acces control instructions, and an entry balancing point. The flow within is described in the processing steps.

Processing steps

  1. The client with uid=5000 binds to the Directory Proxy Server, which sends a BIND request to entry-balancing set-01.
  2. The client sends a SEARCH request with filter (uid=15000).
  3. The Directory Proxy Server determines that uid=15000 lives on entry-balancing set-02.
  4. The Directory Proxy Server determines that the entry for the authenticated user with uid=5000 doesn't exist in set-02 and that the access control handler has to reject the SEARCH request issued by an unknown user.
  5. The Directory Proxy Server observes that the Directory Server processing a request doesn't contain the entry of the user issuing the request and decides to use an alternate authorization identity.