OpenLDAP 2.4.11 + Syncrepl + RWM

["Alan Evans" <alanwevans@gmail.com>]

I am using OpenLDAP 2.4.11 with all overlays and all backends compiled.  My company is in the middle if rebuilding our LDAP environment and we would like to use OpenLDAP + Syncrepl + RWM to neatly move objects into their new places within the DIT.

Our old DIT looks like:

ou=people,dc=company,dc=com
  uid=abc_jsmith
  uid=abc_jdoe
  uid=xyz_hsmith
  uid=xyz_dsmith

Our new DIT looks like:

ou=users,o=abc,dc=company,dc=com
  uid=abc_jsmith
  uid=abc_jdoe
ou=users,o=xyz,dc=company,dc=com
  uid=xyz_hsmith
  uid=xyz_dsmith

There are about 3100 objects in the ou=people container and we have several hundred clients to the current ldap setup so we will not  be able to migrate all in one night.

We are setting the new DIT/servers up in paralell to the old and would like to use syncrepl on the new servers to pull in objects from the old DIT and use syncrepl to find their new place in the tree.  At the moment we are testing this setup in a lab enviornment so I am using another backend to represent the old DIT.

Here's what my config looks like:

... snip ...
database ldif
suffix ou=people,dc=company,dc=com
directory /var/lib/ldap/people
rootdn "cn=Manager,ou=people,dc=company,dc=com"
rootpw *******

overlay rwm
rwm-rewriteEngine on
rwm-rewriteContext default
rwm-rewriteRule "(uid=abc_.+),ou=people,dc=company,dc=com$" "$1,ou=users,o=abc,dc=company,dc=com"

database        bdb
suffix          "dc=company,dc=com"
rootdn          "cn=Manager,dc=company,dc=com"
rootpw                  ********

syncrepl rid=002
        provider=ldap://localhost/
        bindmethod=simple
        binddn="cn=Manager,dc=company,dc=com"
        credentials=********
        searchbase="ou=people,dc=company,dc=com"
        schemachecking=off
        type=refreshOnly
        starttls=yes
        tls_reqcert=allow
        retry="60 +"
... snip ...

The ldif backend works as expected, if I do:
ldapsearch -x uid=abc_\* -b ou=people,dc=company,dc=com 

I get nicely translated DNs and if I save the output to a file and ldap add it to the new DIT I get users where they belong.

But, I am not getting synchronization.  I know I am missing something, probably more RWM rules.  Maybe instead of doing the rewrites on the 'old' backend I should be doing them on the 'new' backend as the data comes into syncrepl?

I am also thinking that the searchbase in the syncrepl clause is part of the problem, I am telling it to sync ou=people and its getting ou=users,o=abc back so it should probably ignore them correct?

Can anyone steer me in the right direction?