Hi,
dn: olcDatabase={3}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {3}meta olcSuffix: dc=loc1,dc=root olcSuffix: dc=loc2,dc=root olcSuffix: dc=loc3,dc=root
I've never used meta backend, but the above doesn't look valid to me (multiple suffixes). The man page shows a single suffix, with URI directives for additional representations of the DB.
Indeed, you can only have one olcSuffix. This is the suffix under which your source URIs will be presented. I'm running a meta backend with the following configuration:
I have two source servers, first and second. Both have a subtree ou=people,ou=mydomain. The trees are combined on the meta server under the new suffix ou=newsuffix,dc=mydomain as ou=apeople and ou=bpeople.
dn: olcDatabase={1}meta, cn=config olcDatabase: {1}meta olcSuffix: ou=newsuffix,dc=mydomain objectClass: olcDatabaseConfig objectClass: olcMetaConfig
dn: olcMetaSub={0}uri, olcDatabase={1}meta, cn=config olcDbURI: "ldap://first.source.server/ou=apeople,ou=newsuffix,dc=mydomain" objectClass: olcMetaTargetConfig olcMetaSub: {0}uri olcDbRewrite: {0}suffixmassage "ou=apeople,ou=newsuffix,dc=mydomain" "ou=people,dc=mydomain" olcDbIDAssertBind: mode=none flags=override,prescriptive,proxy-authz-critical bindmethod=simple binddn="cn=myadmin" credentials="secret" starttls=yes tls_cert="/etc/openldap/certs/mycert.pem" tls_key="/etc/openldap/certs/mycert.key" tls_cacert="/etc/openldap/cacerts/cacerts.pem" tls_cacertdir="/etc/openldap/cacerts" tls_reqcert=demand
dn: olcMetaSub={1}uri, olcDatabase={1}meta, cn=config olcDbURI: "ldap://second.source.server/ou=bpeople,ou=newsuffix,dc=mydomain" objectClass: olcMetaTargetConfig olcMetaSub: {1}uri olcDbRewrite: {0}suffixmassage "ou=bpeople,ou=newsuffix,dc=mydomain" "ou=people,dc=mydomain" olcDbIDAssertBind: mode=none flags=override,prescriptive,proxy-authz-critical bindmethod=simple binddn="cn=myadmin" credentials="secret" starttls=yes tls_cert="/etc/openldap/certs/mycert.pem" tls_key="/etc/openldap/certs/mycert.key" tls_cacert="/etc/openldap/cacerts/cacerts.pem" tls_cacertdir="/etc/openldap/cacerts" tls_reqcert=demand
Hope this helps. Dirk