Mine would definetly be the second method you described (I don't know what hte main LDAP server is running, and I can't touch its settings even if I knew)
Thes given instructions (copied below) go in the slapd.config, and everything else therein is removed?
Thanks, -Jim Stapleton
database ldap suffix "dc=mydomain,dc=tld" uri "ldap://the.real.server/" In either case, after all database specific directives you need to add
overlay rwm # turn on rewriting (set to "off" to temporarily disable) rwm-rewriteEngine on # LDAP map that looks up the real DN for binds; add options as needed # (see slapo-rwm(5) for details) rwm-rewriteMap ldap "realBindDNLookup" "ldap://server/ou=People,dc=mydomain,dc=tld?entryDN?sub" # The actual bind DN rewrite rules rwm-rewriteContext bindDN # extract the username from the incorrect DN, and try to use it # as mailbox in a lookup filter "(mail=<mailbox>@domain)" to # fetch the corresponding DN rwm-rewriteRule "^uid=([^,]+),ou=People,dc=mydomain,dc=tld$" "${realBindDNLookup(mail=$1@mydomain.tld)}" ":@I" # if the lookup fails, the error is ignored, and thus # the original DN is used.