Chapter 9. Settings required for creating a database link
When creating a database link, you must configure the suffix
, bind credentials
, bind mechanisms
and LDAP URL
settings.
9.1. Bind credentials
You can chain request from a client application to remote server by using specific bind credentials. The chained suffix on the remote server must have an ACI that allows proxy authorization to the user. Without bind credentials, a database link binds to the remote server as anonymous
.
When you enable chaining, carefully examine access controls to avoid providing access to restricted areas of a directory. For example, a user that connects by using the database link can see all entries below the branch. To restrict access to the subtree when not all subtrees must be visible to the user, create an additional ACI to avoid any security issues.
When a client application creates or modifies entries by using database links, the creatorsName
and modifiersName
attributes do not reflect the real creator or modifier of the entries. These attributes contain the name of the administrative user granted proxied authorization rights on the remote data server.
Providing bind credentials involves the following steps on the remote server:
-
Creating an administrative user, such as
cn=proxy_user,cn=config
, for the database link. - Providing proxy access rights for the administrative user created in the previous step on the target subtree chained by using the database link.
For example, the following ACI grants read-only access to the cn=proxy_admin,cn=config
user to access data contained on the remote server only within the subtree where the ACI is set.
aci: (targetattr = "*")(version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap:///cn=proxy_admin ,cn=config";)
When a user binds to a database link, the user’s identity is sent to the remote server. Access controls are always evaluated on the remote server. To allow the user to modify or write the data to the remote server, set up the correct access controls on the remote server.
Additional resources
9.2. LDAP url
You can identify the remote server that the database link connects with by using LDAP URL
on a server containing the database link. The URL of the remote server does not specify a suffix and is in the ldap://host_name:port
form.
The remote server uses the LDAPS
protocol instead of LDAP
in the URL and points to the secure port of the server, when you connect the database link to the remote server by using LDAP
over TLS
, for example:
ldaps://africa.example.com:636/
You must enable TLS
on the local Directory Server and the remote Directory Server to be chained over. When the database link and the remote server communicate by using TLS
, the client application that creates operation request can bind by using the normal port and not necessarily use TLS
for communication.
Additional resources
9.3. Bind mechanisms
You can connect a local server to a remote server either of the following ways:
-
By using a standard
LDAP
port. -
By using a dedicated
LDAPS
port. -
By using the
STARTTLS
connection, which is more secure connection than a standard port.
If secure binds are required for simple password authentication, using a secure connection (TLS
and STARTTLS
connections or SASL
authentication) is recommended when you perform any chaining operation.
The local server can use following methods to authenticate to the remote server:
`EMPTY`s
When using the
EMPTY
method, the local server performs simple authentication and requires a bind DN and a password if bind mechanism is not set.EXTERNAL
When using the
EXTERNAL
method, the local server applies the TLS certificate to authenticate the local server to the remote server. Note that you must either set the local server URL to the secure URL (ldaps
) or thensUseStartTLS
attribute toon
. Additionally, you must configure the remote server to map the local server’s certificate to its bind identity.DIGEST-MD5
When using the
DIGEST-MD5
method, the local server applies theSASL
authentication with theDIGEST-MD5
encryption. Similarly to simple authentication, this type of authentication requires thensMultiplexorBindDN
andnsMultiplexorCredentials
attributes to give the bind information.GSSAPI
When using the
GSSAPI
method, the local server applies theKerberos-based
authentication over theSASL
authentication.You can configure the local server with a
Kerberos
keytab, and the remote server must configure a definedSASL
mapping for the local server’s bind identity.
SASL
connections can establish over standard connections or TLS
connections. You can configure local server to chain the SASL
and password policy components when SASL
is used.
Additional resources