I am trying to "extend" a corporate Active Directory with application-specific user attributes by running a local OpenLDAP (2.4.34) with back-ldap and the translucent overlay. I can add local attributes associated with remote entries, and I can see these local attributes when searching on a remote attribute. But I cannot modify local attributes, and searching on a local attribute returns no results. For example, after
ldapadd -x -H ldaps://localhost -D "cn=admin,dc=example,dc=com" -W -f addLocalUser.ldif
where "cn=admin,dc=example,dc=com" is the local rootdn and addLocalUser.ldif contains
dn: cn=John Doe,ou=myOrg,dc=example,dc=com objectclass: organizationalPerson objectclass: myPerson myAttribute: somevalue
the search
ldapsearch -x -H ldaps://localhost -LLL -b dc=example,dc=com \ -D "cn=remoteuser,cn=Users,dc=example,dc=com" -W \ '(mail=john.doe@example.com)' cn manager myattribute
(where remoteuser has read access on the remote directory and read/write access on the local directory) returns one entry with the expected cn, manager, and myattribute values. But the search
ldapsearch -x -H ldaps://localhost -LLL -b dc=example,dc=com \ -D "cn=admin,cn=Users,dc=example,dc=com" -W \ '(myattribute=somevalue)' cn manager myattribute
returns nothing. And the modify commands
ldapmodify -x -H ldaps://localhost \ -D "cn=admin,dc=example,dc=com" -W -f modUser.ldif ldapmodify -x -H ldaps://localhost \ -D "cn=remoteuser,cn=Users,dc=example,dc=com" -W -f modUser.ldif
where modUser.ldif contains
dn: cn=John Doe,ou=myOrg,dc=example,dc=com changetype: modify replace: myAttribute myAttribute: anothervalue
both result in
ldapmodify: No such object (32) additional info: attempt to modify nonexistent local record
I've read the relevant parts of the Admin Guide and the relevant man pages numerous times, along with everything I found via google. I've also studied the translucent overlay test cases. It looks like what I'm trying to do is a mainstream use case, so obviously I'm missing some crucial aspects of configuration. Here are the slapd.conf backend configs that I'm using (with name changes to match the examples above):
database mdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}blahblah directory /opt/openldap-2.4/var/local-data index objectClass eq,pres index myAttribute eq,pres,sub
overlay translucent uri "ldaps://ldap.example.com/" acl-bind bindmethod=simple binddn=cn=remoteuser,cn=Users,dc=example,dc=com credentials={SSHA}blahblah tls_reqcert=demand idassert-bind bindmethod=simple binddn=cn=remoteuser,cn=Users,dc=example,dc=com credentials={SSHA}blahblah mode=none tls_reqcert=demand idassert-authzFrom dn.regex:.* rebind-as-user chase-referrals yes translucent_local cn,myAttribute translucent_remote cn,mail
Are there glaring mistakes here? Thanks for reading this far :-)
Steve
openldap-technical@openldap.org