open ldap meta backend empty search

[Pierluca Marino <pierluca.marino@gmail.com>]

Hi,

I have a problem with meta backend feature.

I need to get data from two different LDAP under a unique dn. The two ldap are an active directory and another ldap that should be on the same Open LDAP instance of the meta backend.

Actually to test the solution I'm usind Open LDAP Windows version.

This is my sladp config:

# LDIF Backend configuration file

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

ucdata-path ./ucdata

include ./schema/core.schema

include ./schema/cosine.schema

include ./schema/nis.schema

include ./schema/inetorgperson.schema

include ./schema/openldap.schema

include ./schema/dyngroup.schema

pidfile ./run/slapd.pid

argsfile ./run/slapd.args

# Enable TLS if port is defined for ldaps

TLSVerifyClient never

TLSCipherSuite HIGH:MEDIUM:-SSLv2

TLSCertificateFile ./secure/certs/server.pem

TLSCertificateKeyFile ./secure/certs/server.pem

TLSCACertificateFile ./secure/certs/server.pem

####META

database meta

suffix "dc=proxy,dc=company,dc=it"

rootdn "cn=Manager,dc=proxy,dc=company,dc=it"

rootpw           "secret"

uri "ldap://adhost:390/dc=proxy,dc=company,dc=it"

suffixmassage "dc=proxy,dc=company,dc=it" "dc=company,dc=cosmag,dc=it"

lastmod       off

idassert-bind 

bindmethod=simple 

binddn="cn=Manager,dc=company,dc=cosmag,dc=it" 

credentials="password" 

mode=none 

flags=non-prescriptive

idassert-authzFrom "dn.exact:cn=Manager,dc=proxy,dc=company,dc=it"

acl-authcDN "cn=Manager,dc=company,dc=cosmag,dc=it"

acl-passwd  "password"

uri "ldap://localhost:389/dc=proxy,dc=company,dc=it"

suffixmassage  "dc=proxy,dc=company,dc=it" "dc=portal,dc=company,dc=it"

lastmod       off

idassert-bind 

bindmethod=simple 

binddn="cn=Manager,dc=portal,dc=company,dc=it" 

credentials="secret" 

mode=none 

flags=non-prescriptive

idassert-authzFrom "dn.exact:cn=Manager,dc=proxy,dc=company,dc=it"

acl-authcDN "cn=Manager,dc=portal,dc=company,dc=it"

acl-passwd  "secret"

#######################################################################

# ldif database definitions

#######################################################################

database ldif

directory ./ldifdata

suffix "dc=portal,dc=company,dc=it"

rootdn "cn=Manager,dc=portal,dc=company,dc=it"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw    {SSHA}Bww72HPj9nrNxrLAQxuTqP1Z0zuafPPd

The server start normally, but when I do a search starting from base dn "dc=proxy,dc=company,dc=it" nothing is returned:

ldapsearch -H ldap://localhost:389 -x -D "cn=Manager,dc=proxy,dc=company,dc=it" -W -b "dc=proxy,dc=company,dc=it" -s base -a always -z 1 "(objectClass=*)" "hasSubordinates" "objectClass"

# baseObject   : dc=proxy,dc=company,dc=it

# scope        : baseObject (0)

# derefAliases : derefAlways (3)

# sizeLimit    : 1

# timeLimit    : 0

# typesOnly    : False

# filter       : (objectClass=*)

# attributes   : hasSubordinates objectClass

#!SEARCH RESULT DONE (32) OK

#!CONNECTION ldap://localhost:389

#!DATE 2015-06-16T07:38:21.970

# numEntries : 0

Server log returns:

 conn=1000 op=6 <<< meta_back_search_start[1]=0

 conn=1000 op=6 meta_back_search: ncandidates=0 cnd="**"

 conn=1000 op=6 meta_back_search: base="dc=proxy,dc=company,dc=it" scope=0: no candidate could be selected

 send_ldap_result: conn=1000 op=6 p=3

 send_ldap_response: msgid=7 tag=101 err=52

Where is my mistake? There is something that I have missed in configuration?

Best Regards

Pierluca