one more followup question. i want the "meta" database on the external server contacted via tls/ssl.
if I set:

uri             "ldap://directory.company.com/ou=People,o=company,c=US"

things work perfectly, however if i set:

uri             "ldaps://directory.company.com/ou=People,o=company,c=US"

i get "server is unavailable" when i do things like ldapwhoami. is there something i can configure in my ldap.conf to allow ldaps authentication to the server defined in my "meta" stanza?

--stephen

On 1/22/07, Stephen Agar < seagar@gmail.com> wrote:
wow....thanks a bunch, that worked perfectly.

--stephen


On 1/22/07, Aaron Richton < richton@nbcs.rutgers.edu > wrote:
Try something more like:

database        meta
suffix          "ou=people,o=company,c=US"
subordinate

database        bdb
suffix          "o=company,c=US"

see if that does what you want...

On Mon, 22 Jan 2007, Stephen Agar wrote:

> I have an LDAP server with a base "o=company, c=us".  There is another
> server which controls "ou=people,o=company,c=us",  so in slapd.conf i have
> the following:
>
> database        bdb
> suffix          "o=company,c=US"
> rootdn          "cn=Manager,o=company,c=US"
> rootpw          *******
> directory       /usr/var/openldap-data
> # Indices to maintain
> index   objectClass     eq
> index   ou,cn,uid       eq,pres,sub
>
> #meta test
> database        meta
> suffix          "ou=people,o=company,c=US"
> uri             "ldap://directory.company.com/ou=People,o=company,c=US"
>
>
> When I try to start slapd, I get: /etc/openldap/slapd.conf: line 84:
> <suffix> namingContext "o=company,c=US" already served by a preceding bdb
> database serving namingContext "o=company,c=US". Am I misusing meta? Can I
> not proxy binds/lookups to specific OUs to a secondary LDAP?  I understand
> what the message is saying, but don't think I understand the proper use of
> meta.
>
> For example, I have an ou=groups that contains "groupofnames" and the
> members of those groups are like "uid=123456,ou=people,o=company,c=us". So I
> want ou = groups owned on my server, then the when specific members try to
> bind, they are proxied to this external LDAP server that serves
> ou=people,o=company,c=us and contains their uids and passwords.  Am I going
> about this the wrong way? Is there a way to accomplish what im trying to do?
>
>
> Thanks in advance...
> --stephen
>