On Thu, 20 Dec 2012, Bryce Powell wrote:
?When a search with base "dc=foo,dc=com" is attempted, if the scope is "base" it fails with "no such object"; in fact, the common root of the two targets (prior to massaging) does not exist.? The vendor won?t change their code to skip the verification, and recommended I use Microsoft?s ADAM instead of OpenLDAP. I would prefer to leverage OpenLDAP, so does anyone have any recommendations as to what I could do? Thanks, Bryce
You're quoting from "scenario 2a" from the man page, which envisions dc=a,dc=foo,dc=com and dc=b,dc=foo,dc=com; your desire is to serve some data at dc=foo,dc=com. So you have to make that exist (obviously). You'll need a data store to place your "dc=foo,dc=com" data, and you'll need to "attach" dc=a,dc=foo,dc=com and dc=b,dc=foo,dc=com. So basically...
database meta # maybe ldap or even relay in some installations subordinate suffix "dc=a,dc=foo,dc=com" uri "ldap://a.foo.com/dc=a,dc=foo,dc=com"
database meta subordinate suffix "dc=b,dc=foo,dc=com" uri "ldap://b.foo.com/dc=a,dc=foo,dc=com"
database mdb # or hdb or bdb or even ldif or..... suffix "dc=foo,dc=com"
So then dc=a and dc=b live over the wire, and dc=foo,dc=com can be filled with Whatever You Want. Like, say, your base-scope data at dc=foo,dc=com. You'll almost certainly want to set up some careful ACLs and make sure, in particular, that nobody writes any dc=a/dc=b data to the on-disk database. Without trying it, I don't think it would cause a failure per se, but it would cause a very confused LDAP admin (quite undesirable)! (As for "dc=c" data on-disk, that's up to you and your site.)