database ldap
suffix "dc=mydomain,dc=tld"
uri "ldap://the.real.server/"
In either case, after all database specific directives you need to add
overlay rwm
# turn on rewriting (set to "off" to temporarily disable)
rwm-rewriteEngine on
# LDAP map that looks up the real DN for binds; add options as needed
# (see slapo-rwm(5) for details)
rwm-rewriteMap
ldap
"realBindDNLookup"
"ldap://server/ou=People,dc=mydomain,dc=tld?entryDN?sub"
# The actual bind DN rewrite rules
rwm-rewriteContext bindDN
# extract the username from the incorrect DN, and try to use it
# as mailbox in a lookup filter "(mail=<mailbox>@domain)" to
# fetch the corresponding DN
rwm-rewriteRule
"^uid=([^,]+),ou=People,dc=mydomain,dc=tld$"
"${realBindDNLookup(mail=$1@mydomain.tld)}" ":@I"
# if the lookup fails, the error is ignored, and thus
# the original DN is used.