Hello everyone,

I am struggling to make an openldap/meta configuration work:

i have two active directory domain/servers: dc=mysite,cd=com and dc=other,dc=mysite,dc=com

my goal is to integrate both domains with an application who can integrate with a SINGLE ldap source for user authentication.

i'd like to build an openldap meta/proxy to build a virtual tree with

mysite.com (empty)

--- ou=virtual, dc= mysite,dc =com

--- ou=other, dc= mysite,dc =com

I'm working with these configuration:

database meta
suffix   "dc=mysite,cd=com"

..

uri          "ldap://SRV-xxxxxx/ou=virtual, dc= mysite,dc =com"
readonly      yes
lastmod       off
suffixmassage "ou=virtual, dc= mysite,dc =com" "dc= mysite,dc =com"

uri "ldap://SRV-yyyy/ou=other, dc= mysite,dc =com"
readonly      yes
lastmod       off
suffixmassage "ou=other, dc= mysite,dc =com" "dc=other,dc=mysite,dc=com"

The ldap tree is accessible but the group membership is wrong: the value of memberof attributes for every user still has the original value, not the remapped value,for example:

cn=user,ou=someou,dc=mysite,cd=com

cn=somegroup,ou=groups,dc=mysite,cd=com

are seen by the client as

but the membeof attribute of user.someou.mysite.com is

cn=somegroup,ou=groups,dc=mysite,cd=com

i expect it to be

membeof=cn=somegroup,ou=groups,ou=virtual,dc=mysite,cd=com

Can someone advice if this is the correct way to address this problem ?

Can someone point me to the proper documentation ?

Thank you

Marco