Re: meta backend subtree directive ignored by conversion to cn=config

["Pierangelo Masarati" <masarati@aero.polimi.it>]

> Sorry!
> I mistyped the uri where the user is found (this happens because I saw
> this behaviour on the real configuration and I had to massage it).
> The search command, issued from the openldap server itself, is:
>
> ldapsearch -xLLL -H ldap:/// -D ""cn=LdapBindUser,dc=newco,dc=com" -w
> secret1 -E pr=647/noprompt -b 'DC=newco,DC=com' 'sn=policastro' dn
>
> I find two records, one correct and one unexpected:
>
> dn: cn=Policastro
> Francesco,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" (matches the
> line marked with *)
>
> dn: cn=Policastro Francesco,ou=UsersDisable,dc=second,dc=newco,dc=com

OK, I got the point.  You're probably misusing this feature.  If you want
to prevent a portion of the subtree from being returned, you need to use
ACL.

The subtree-{in|ex}clude is only used during candidate selection.  This
means that it is used while deciding whether or not an operation must be
propagated to a specific target.

For example, let's say that target #1 is rooted at "ou=Sub 1,dc=org", and
target #2 is rooted at "dc=org", and it is known that target #2 does not
contain a subtree named "ou=Sub 1,dc=org", adding

subtree-exclude "ou=Sub 1,dc=org"

to target #2 prevents searches whose searchBase is (a subordinate of)
"ou=Sub 1,dc=org" to span target #2 in addition to target #1.

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano