Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 10. Configuring the chaining policy

You can configure Directory Server to chain requests from client applications to Directory Server containing database links. Chaining policy applies to all database links created on Directory Server.

10.1. Chaining component operations
Copia collegamento

A component is any functional unit in the server that uses internal operations, for example, a plug-in or function in the front end.

Some components send internal LDAP requests to the server, expecting to access local data only. For such components, you must control the chaining policy so that the components can complete there operations successfully. For example, the certificate verification function. You can chain the LDAP request made by the function to check certificates that implies the remote server is trusted. If the remote server is not trusted, then there is a security problem.

By default, you cannot chain all the internal operations and any component, but the default can be overridden.

Additionally, you must create an ACI on the remote server to enable the specified plug-in to perform its operation on the remote server. The ACI must exist in the suffix assigned to database link.

The following are component names, their potential side-effects of when you allow these components to chain internal operations, and the permissions the components need in the ACI on the remote server:

  • The ACI plug-in component

    The ACI plug-in component implements access control. You cannot chain operations used to retrieve and update ACI attributes because it not safe to mix the local and the remote attributes. However, you can chain requests used to retrieve user entries by setting the following chaining components attribute: 

    nsActiveChainingComponents: cn=ACI Plugin,cn=plugins,cn=config

    Permissions: Read, search, and compare.

  • The resource limit component

    The resource limits component sets server limits depending on the user bind DN. If you chain the resource limitation component, you can apply resource limits on the remote users. To chain resource limit component operations, add the following chaining component attribute: 

    nsActiveChainingComponents: cn=resource limits,cn=components,cn=config

    Permissions: Read, search, and compare.

  • The certificate-based authentication component

    You can use the certificate-based authentication component during the external bind method.This component retrieves user certificates from the database on the remote server. When you allow this component to chain, it enables certificate-based authentication to work with the database link. To chain this component’s operations, add the following chaining component attribute: 

    nsActiveChainingComponents: cn=certificate-based authentication,cn=components,cn=config

    Permissions: Read, search, and compare.

  • The password policy component

    The password policy component adds SASL binds to the remote server. Authenticating with a user name and password is essential for some forms of SASL authentication. When you enable the password policy, it allows the server to verify and implement the specific authentication method requested and to apply the appropriate password policies. To chain this component’s operations, add the chaining component attribute: 

    nsActiveChainingComponents: cn=password policy,cn=components,cn=config

    Permissions: Read, search, and compare.

  • The SASL component

    The SASL component allows SASL to bind to the remote server. To chain this component’s operations, add the chaining component attribute: 

    nsActiveChainingComponents: cn=password policy,cn=components,cn=config

    Permissions: Read, search, and compare.

  • The referential integrity postoperation component

    The referential integrity postoperation component propagates updates made to attributes containing DNs to the entries that contain pointers to the attributes. For example, you can automatically remove an entry from a group when group is deleted. By using the referential integrity postoperation plug-in together with the chaining simplifies the management of static group when the group members are remote to the static group definition. 

    nsActiveChainingComponents: cn=referential integrity postoperation,cn=plugins,cn=config

    Permissions: Read, search, and compare.

  • The attribute Uniqueness component

    The attribute Uniqueness component validates that all the values for a specified attribute are unique. When you chain the plug-in, it confirms that attribute values are unique even when attributes are changed through a database link. To chain this component’s operations, add the chaining component attribute: 

    nsActiveChainingComponents: cn=attribute uniqueness,cn=plugins,cn=config

    Permissions: Read, search, and compare.

  • The roles component

    The roles component chains the roles and roles assignments for the entries in a database. When you chain this component, it maintains the roles even on chained databases. To chain this component’s operations, addthe chaining component attribute: 

    nsActiveChainingComponents: cn=roles,cn=components,cn=config

    Permissions: Read, search, and compare.

Note

You cannot chain Roles plug-in, Password policy component, Replication plug-in, and Referential Integrity plug-in components. When you enable the Referential Integrity plug-in on servers that issue chaining requests, ensure that you analyzed the performance, resource, time, and integrity needs. Not that integrity checks can be time-consuming and draining on memory and CPU.

10.2. Chaining component operations using the command line
Copia collegamento

You can add a component allowed to chain by using the command line:

Procedure

  1. Specify the components to include in chaining: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com chaining config-set \ --add-comp="cn=referential integrity postoperation,cn=components,cn=config"

  2. Restart the instance: 

    # dsctl instance_name restart

  3. Create an ACI in the suffix on the remote server to which the operation will be chained: 

    # ldapmodify -D "cn=Directory Manager" -W -H 389 remoteserver.example.com -x
 dn: ou=People,dc=example,dc=com
 changetype: modify
 add: aci
 aci: (targetattr = "*")(target="ldap:///ou=customers,ou=People,dc=example,dc=com")
 (version 3.0; acl "RefInt Access for chaining"; allow
 (read,write,search,compare) userdn = "ldap:///cn=referential
 integrity postoperation,cn=plugins,cn=config";)

Verification

  • Display the components allowed to chain: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com chaining config-set \ --add-comp="cn=referential integrity postoperation,cn=components,cn=config"

10.3. Chaining component operations using the web console
Copia collegamento

You can add a component allowed to chain by using the web console:

Prerequisites

  • You have opened the Directory Server user interface in the web console and selected the instance.

Procedure

  1. Open the Database.
  2. In the navigation on the left, select the Chaining Configuration entry.
  3. Click the Add button below the components to Chain field.
  4. Select the component that you want to chain, and click Add & Save New Components.

  5. Create ACI in the suffix on the remote server to which the operation will be chained: 

    # ldapmodify -D "cn=Directory Manager" -W -H 389 remoteserver.example.com -x
 dn: ou=People,dc=example,dc=com
 changetype: modify
 add: aci
 aci: (targetattr = "*")(target="ldap:///ou=customers,ou=People,dc=example,dc=com")
 (version 3.0; acl "RefInt Access for chaining"; allow
 (read,write,search,compare) userdn = "ldap:///cn=referential
 integrity postoperation,cn=plugins,cn=config";)

Verification

  • Selected component should be chained .
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima