Access control rules in an entry-balanced deployment are configured in the Directory Server backend servers and require access to the entry contents of the user issuing the request.

This can introduce a potential issue when clients to the Directory Proxy Server authenticate as users whose entries are among the entry-balanced sets. If the server processing a request doesn't contain the issuing user's entry, the access control can't be evaluated. One solution to this problem is to make use of an alternate authorization identity for the user, which references an entry that exists in all Directory Server's in all backend sets and has an equivalent set of access control rights as the authenticated user.

For the following example, assume a deployment has two entry-balancing sets: set-01 and set-02. Set-01 has entries in the uid=0-10000 range, while set-02 has entries for uid=10001-20000.

Entry-Balancing Issue with Clients Not Present in the Underlying Data Set