I see. So I need to look at ACL, because my real meta configuration contains two trees coming from different forests, sharing nothing. It's the result of a merge of two companies, each with its AD, and I use OpenLDAP to authenticate users against a single meta domain, after a long job to rename many users who just shared the only object I did not want, i.e. the sAMAccountNname. Thanks, Francesco