Sorry! I mistyped the uri where the user is found (this happens because I saw this behaviour on the real configuration and I had to massage it). The search command, issued from the openldap server itself, is:

ldapsearch -xLLL -H ldap:/// -D ""cn=LdapBindUser,dc=newco,dc=com" -w secret1 -E pr=647/noprompt -b 'DC=newco,DC=com' 'sn=policastro' dn

I find two records, one correct and one unexpected:

dn: cn=Policastro Francesco,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" (matches the line marked with *)

dn: cn=Policastro Francesco,ou=UsersDisable,dc=second,dc=newco,dc=com

OK, I got the point. You're probably misusing this feature. If you want to prevent a portion of the subtree from being returned, you need to use ACL.

The subtree-{in|ex}clude is only used during candidate selection. This means that it is used while deciding whether or not an operation must be propagated to a specific target.

For example, let's say that target #1 is rooted at "ou=Sub 1,dc=org", and target #2 is rooted at "dc=org", and it is known that target #2 does not contain a subtree named "ou=Sub 1,dc=org", adding

subtree-exclude "ou=Sub 1,dc=org"

to target #2 prevents searches whose searchBase is (a subordinate of) "ou=Sub 1,dc=org" to span target #2 in addition to target #1.

p.