Hi all,
I realized that the subtree-include directives I use in my meta backend are not converted at all to cn=config. I cannot find them in cn=config tree. The slapd version is 2.4.33 as patched after ITS#7525 (openldap-648d28f.tar.gz) Here is my slapd.conf:
====================================================
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/dyngroup.schema
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributetype ( 1.2.840.113556.1.4.35 NAME 'employeeID' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributetype ( 1.2.840.113556.1.4.8 NAME 'userAccountControl' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
pidfile /var/run/slapd.pid
# ---------------------- backend meta backend hdb # ----------------------
# ---------------------- database meta # ---------------------- suffix "dc=newco,dc=com" readonly on rootdn "cn=LdapBindUser,dc=newco,dc=com" rootpw secret1
# no anonymous bind require authc conn-ttl 25m
dncache-ttl disabled
access to * by * none
# first domain
uri "ldap://server1.it.domain1.com/dc=first,dc=newco,dc=com" idassert-bind bindmethod=simple binddn="cn=LDAP User,ou=ITStaff,dc=it,dc=domain1,dc=com" credentials=secret2 chase-referrals no rebind-as-user true map objectclass groupOfNames * map objectclass person * suffixmassage "dc=first,dc=newco,dc=com" "dc=it,dc=domain1,dc=com" subtree-include "ou=Applications,ou=Groups Shared,dc=first,dc=newco,dc=com" subtree-include "ou=Users,ou=1st-location,dc=first,dc=newco,dc=com" subtree-include "ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" subtree-include "ou=Users,ou=3rd-location,dc=first,dc=newco,dc=com"
# map visible attributes to matching attributes on backend map attribute distinguishedName * map attribute givenName * map attribute description * map attribute sn * map attribute cn * map attribute mail * map attribute samAccountName * map attribute userAccountControl * map attribute employeeID * map attribute userPrincipalName *
# map everything else to null map attribute *
# second domain
uri "ldap://server2.domain2.net/ou=organizationalUnit,dc=second,dc=newco,dc=com" idassert-bind bindmethod=simple binddn="cn=ldap-2,cn=Users,dc=domain2,dc=net" credentials=secret3 chase-referrals no rebind-as-user true map objectclass groupOfNames * map objectclass person * suffixmassage "dc=second,dc=newco,dc=com" "dc=domain2,dc=net" subtree-include "ou=Users,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com" subtree-include "ou=My-ou,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com" subtree-include "ou=Remote Sites,ou=organizationalUnit,dc=second,dc=newco,dc=com"
# map visible attributes to matching attributes on backend map attribute distinguishedName * map attribute givenName * map attribute description * map attribute sn * map attribute cn * map attribute mail * map attribute samAccountName * map attribute userAccountControl * map attribute employeeID pager map attribute userPrincipalName *
# map everything else to null map attribute *
# ---------------------- database hdb # ---------------------- suffix dc=domain-groups,dc=com" rootdn "cn=groupsRoot,dc=domain-groups,dc=com" rootpw secret4 overlay dynlist
dynlist-attrset groupOfURLs memberURL member directory /usr/local/var/openldap-data
=============================================
Did anyone successfully use subtrees with cn=config?
Thanks, Francesco Policastro
openldap-technical@openldap.org