I am trying to "extend" a corporate Active Directory with application-specific user attributes by running a local OpenLDAP (2.4.34) with back-ldap and the translucent overlay. I can add local attributes associated with remote entries, and I can see these local attributes when searching on a remote attribute. But I cannot modify local attributes, and searching on a local attribute returns no results. For example, after

 

    ldapadd -x -H ldaps://localhost -D "cn=admin,dc=example,dc=com" -W -f addLocalUser.ldif

   

where "cn=admin,dc=example,dc=com" is the local rootdn and addLocalUser.ldif contains

 

    dn: cn=John Doe,ou=myOrg,dc=example,dc=com

    objectclass: organizationalPerson

    objectclass: myPerson

    myAttribute: somevalue

 

the search

 

    ldapsearch -x -H ldaps://localhost -LLL -b dc=example,dc=com \

       -D "cn=remoteuser,cn=Users,dc=example,dc=com" -W \

       '(mail=john.doe@example.com)' cn manager myattribute

 

(where remoteuser has read access on the remote directory and read/write access on the local directory) returns one entry with the expected cn, manager, and myattribute values. But the search

 

    ldapsearch -x -H ldaps://localhost -LLL -b dc=example,dc=com \

       -D "cn=admin,cn=Users,dc=example,dc=com" -W \

       '(myattribute=somevalue)' cn manager myattribute

 

returns nothing. And the modify commands

 

    ldapmodify -x -H ldaps://localhost \

       -D "cn=admin,dc=example,dc=com" -W -f modUser.ldif

    ldapmodify -x -H ldaps://localhost \

       -D "cn=remoteuser,cn=Users,dc=example,dc=com" -W -f modUser.ldif

 

where modUser.ldif contains

 

    dn: cn=John Doe,ou=myOrg,dc=example,dc=com

    changetype: modify

    replace: myAttribute

    myAttribute: anothervalue

 

both result in

 

    ldapmodify: No such object (32)

        additional info: attempt to modify nonexistent local record

 

I've read the relevant parts of the Admin Guide and the relevant man pages numerous times, along with everything I found via google. I've also studied the translucent overlay test cases. It looks like what I'm trying to do is a mainstream use case, so obviously I'm missing some crucial aspects of configuration. Here are the slapd.conf backend configs that I'm using (with name changes to match the examples above):

 

  database mdb

  suffix      "dc=example,dc=com"

  rootdn      "cn=admin,dc=example,dc=com"

  rootpw      {SSHA}blahblah

  directory   /opt/openldap-2.4/var/local-data

  index       objectClass      eq,pres

  index       myAttribute      eq,pres,sub

 

  overlay translucent

  uri                 "ldaps://ldap.example.com/"

  acl-bind            bindmethod=simple binddn=cn=remoteuser,cn=Users,dc=example,dc=com credentials={SSHA}blahblah tls_reqcert=demand

  idassert-bind       bindmethod=simple binddn=cn=remoteuser,cn=Users,dc=example,dc=com credentials={SSHA}blahblah mode=none tls_reqcert=demand

  idassert-authzFrom  dn.regex:.*

  rebind-as-user

  chase-referrals     yes

  translucent_local   cn,myAttribute

  translucent_remote  cn,mail

 

Are there glaring mistakes here? Thanks for reading this far :-)

 

Steve