Hi all,
I realized that the subtree-include directives I use in my meta backend
are not converted at all to cn=config.
I cannot find them in cn=config tree.
The slapd version is 2.4.33 as patched after ITS#7525
(openldap-648d28f.tar.gz)
Here is my slapd.conf:
====================================================
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName'
EQUALITY caseExactMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributetype ( 1.2.840.113556.1.4.35 NAME 'employeeID'
EQUALITY caseExactMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributetype ( 1.2.840.113556.1.4.8 NAME 'userAccountControl'
EQUALITY integerMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName'
EQUALITY caseExactMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/slapd.pid
# ----------------------
backend meta
backend hdb
# ----------------------
# ----------------------
database meta
# ----------------------
suffix "dc=newco,dc=com"
readonly on
rootdn "cn=LdapBindUser,dc=newco,dc=com"
rootpw secret1
# no anonymous bind
require authc
conn-ttl 25m
dncache-ttl disabled
access to *
by * none
# first domain
uri "ldap://server1.it.domain1.com/dc=first,dc=newco,dc=com";
idassert-bind bindmethod=simple binddn="cn=LDAP
User,ou=ITStaff,dc=it,dc=domain1,dc=com" credentials=secret2
chase-referrals no
rebind-as-user true
map objectclass groupOfNames *
map objectclass person *
suffixmassage "dc=first,dc=newco,dc=com" "dc=it,dc=domain1,dc=com"
subtree-include "ou=Applications,ou=Groups
Shared,dc=first,dc=newco,dc=com"
subtree-include "ou=Users,ou=1st-location,dc=first,dc=newco,dc=com"
subtree-include "ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com"
subtree-include "ou=Users,ou=3rd-location,dc=first,dc=newco,dc=com"
# map visible attributes to matching attributes on backend
map attribute distinguishedName *
map attribute givenName *
map attribute description *
map attribute sn *
map attribute cn *
map attribute mail *
map attribute samAccountName *
map attribute userAccountControl *
map attribute employeeID *
map attribute userPrincipalName *
# map everything else to null
map attribute *
# second domain
uri
"ldap://server2.domain2.net/ou=organizationalUnit,dc=second,dc=newco,dc=com";
idassert-bind bindmethod=simple
binddn="cn=ldap-2,cn=Users,dc=domain2,dc=net" credentials=secret3
chase-referrals no
rebind-as-user true
map objectclass groupOfNames *
map objectclass person *
suffixmassage "dc=second,dc=newco,dc=com" "dc=domain2,dc=net"
subtree-include
"ou=Users,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com"
subtree-include
"ou=My-ou,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com"
subtree-include "ou=Remote
Sites,ou=organizationalUnit,dc=second,dc=newco,dc=com"
# map visible attributes to matching attributes on backend
map attribute distinguishedName *
map attribute givenName *
map attribute description *
map attribute sn *
map attribute cn *
map attribute mail *
map attribute samAccountName *
map attribute userAccountControl *
map attribute employeeID pager
map attribute userPrincipalName *
# map everything else to null
map attribute *
# ----------------------
database hdb
# ----------------------
suffix dc=domain-groups,dc=com"
rootdn "cn=groupsRoot,dc=domain-groups,dc=com"
rootpw secret4
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
directory /usr/local/var/openldap-data
=============================================
Did anyone successfully use subtrees with cn=config?
Thanks,
Francesco Policastro
