> Sorry!
> I mistyped the uri where the user is found (this happens because I saw
> this behaviour on the real configuration and I had to massage it).
> The search command, issued from the openldap server itself, is:
>
> ldapsearch -xLLL -H ldap:/// -D ""cn=LdapBindUser,dc=newco,dc=com" -w
> secret1 -E pr=647/noprompt -b 'DC=newco,DC=com' 'sn=policastro' dn
>
> I find two records, one correct and one unexpected:
>
> dn: cn=Policastro
> Francesco,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" (matches the
> line marked with *)
>
> dn: cn=Policastro Francesco,ou=UsersDisable,dc=second,dc=newco,dc=com
OK, I got the point. You're probably misusing this feature. If you want
to prevent a portion of the subtree from being returned, you need to use
ACL.
The subtree-{in|ex}clude is only used during candidate selection. This
means that it is used while deciding whether or not an operation must be
propagated to a specific target.
For example, let's say that target #1 is rooted at "ou=Sub 1,dc=org", and
target #2 is rooted at "dc=org", and it is known that target #2 does not
contain a subtree named "ou=Sub 1,dc=org", adding
subtree-exclude "ou=Sub 1,dc=org"
to target #2 prevents searches whose searchBase is (a subordinate of)
"ou=Sub 1,dc=org" to span target #2 in addition to target #1.
p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano