(feeling a tad silly, now that I have discovered I was not replying to the actual mailing list but to single people.)
OK so I have managed to get both the ldap and hdb databases to coexist, mostly through copying code straight from the ldapglue test in the OpenLDAP build files. The ldif file I use now for my backend is as follows -
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb olcModuleload: back_ldap
dn: olcDatabase={1}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {1}ldap olcSuffix: ou=internal,dc=companyname,dc=local olcSubordinate: TRUE olcDbURI: "ldap://companyname.local" olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE
dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcSuffix: dc=companyname,dc=local olcLastMod: TRUE olcRootDN: cn=admin,dc=companyname,dc=local olcRootPW: {SSHA}hashed password olcDbDirectory: /var/lib/ldap olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=minecorp,dc=local" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read
I can search dc=companyname,dc=local fine, I see the users in this tree and the Internal OU. However I do not see any of the users from the AD linked to by this database. I know I can ldap search it from the server and get results, so I believe that either I need to construct my search differently or it is an authentication issue. As I read it, I need to use idassert-bind, specifying a user from AD with read access, and that user will be used to search AD.
I have a few questions leading from this - The first is: does anyone know the syntax for idassert-bind as it applies to ldif files to be ldapadded to the RTC? As I read it, if it were slapd.conf I would want -
idassert-bind bindmethod=simple binddn="cn=proxy,ou=service accounts,ou=users,dc=companyname,dc=local" credentials="password" mode=self
but I am unsure how to structure this for RTC.
The second is - am I correct in thinking that, once this is all working, a search with (objectclass=*) on the dc=companyname,dc=local should return all the users in that branch as well as all the users in AD? Or will I need to craft my search differently to deal with the proxy?
The third is also just a confirmation - is idassert-bind meant for what I think it is? Should it contain a user not in the local DSA but in the one I am proxying to? Or have I misread?