When defining access controls in an entry-balancing deployment, you must ensure that the data used by the access control rule is available for evaluation on all data sets.

If you use groups for access control and a group contains users from different data sets, then that group must exist on each data set. For a single ACI to apply to entries in all data sets, it must be specified above the entry-balancing point. For example, if an ACI allows access to modify users that are part of group 1, then two things must exist on both data sets:

  • Group 1 must exist in the ou=groups branch of both data sets.
  • The ACI referencing group 1 must exist in the ou=people branch or above. The ou=people branch entry itself is part of the common data.

The PingDirectoryProxy server ensures that any changes to entries within the scope of the entry-balancing request processor, but outside the balancing point, are applied to all backend server sets. Any ACI stored at the entry-balancing point is kept in sync if changes are made through the PingDirectoryProxy server.