We have a successful OpenLDAP deployment used for Linux/UNIX authentication in University environment. Recently we have been approached by a self-managed research group that would like to use our LDAP server for authentication instead of the currently implemented NIS. However they would like to be able to create local user accounts in their "subtree". Since most of the researchers are already in our LDAP
directory is it possible to refer to specific entries in the main tree from their own subtree. For example let's say our tree is called

dc=domain,dc=edu

and I want to create a subtree called

dc=research,dc=domain,dc=edu

on the same server and point the research groups' machines to the newly created subtree. Is it now somehow possible to point e.g.

uid=user,cn=users,dc=research,dc=domain,dc=edu ===> uid=user,cn=users,dc=domain,dc=edu

Main purpose is not to have to duplicate user entries. I looked into the admin guide and it appears I can only make a referral to a whole subtree ie. subordinate knowledge. Can I do the same for individual entries ? If so does anyone have LDIF examples of how to do it.

Thanks,

Vladimir

To create an alias, you need to create an entry with the objectClass's alias and extensibleObject. The extensibleObject allows you to include the part of the DN in the alias, which is required before one can be added.
An example LDIF(5) file is
dn: uid=alias,ou=People,dc=example,dc=net
objectclass: alias
objectclass: extensibleObject
uid: alias
aliasedobjectname: uid=target,ou=Retired People,dc=example,dc=com
When searching for objects, if dereferencing is enabled and an alias entry is found with the search scope, the aliased object will be returned. That is,
ldapsearch -x -a search -b "ou=People,dc=example,dc=net"
would return the "uid=target,ou=Retired People,dc=example,dc=com" object.
you can also expect getting "target" results by searching with "alias" base
ldapsearch -x -a always -b uid=alias,ou=People,dc=example,dc=net <filter>