A USERDB object selects a user database for the parent virtual server. This selection occurs in the following manner:
The USERDB element's id attribute maps to an ACL file's database attribute.
The USERDB element's database attribute maps to a dbswitch.conf entry.
This layer between the ACL file and the dbswitch.conf file gives the server administrator full control over the databases to which virtual server administrators and users have access.
The dbswitch.conf file establishes the root of the search tree for LDAP databases as follows:
The base DN in the LDAP URL in dbswitch.conf defines a root object for all further DN specifications. So, for most new installations, it can be empty, because the final base DN is determined in other ways -- either through a dc tree lookup or an explicit basedn value in the USERDB tag.
A new dbswitch.conf attribute for LDAP databases, dcsuffix, defines the root of the dc tree. This root is relative to the base DN in the LDAP URL. If the database is schema compliant you can use dcsuffix . Requirements for schema compliance are listed in Sun Java System LDAP Schema.
A user database is selected for a virtual server as follows:
If a VS has no USERDB subelement, user- or group-based ACLs fail.
When no database attribute is present in a virtual server’s ACL definition, the VS must have a USERDB subelement with an id attribute of default. The database attribute of the USERDB then points to a database in dbswitch.conf. If no database attribute is present, default is used.
If an LDAP database is schema compliant, the base DN of the access is computed using a dc tree lookup of the VS element's hosts attribute that matches the client-supplied host header. If no hosts attribute matches, the servername attribute of the parent SERVER is used. The dc tree lookup is based at the dcsuffix DN. The result must contain an inetDomainBaseDN attribute that contains the base DN. This base DN is taken as is and is not relative to any of the base DN values.
If the basedn attribute of the USERDB element is not present and the database is not schema compliant, the access requests are relative to the base DN in the dbswitch.conf entry, as in previous Sun Java System Web Server versions.