Using OpenLDAP's meta backend to map incoming user to someone else

I am attempting to set up an LDAP "tunnel" to work around an application that requires a configuration slightly different to my environment.

I need to be able to bind as USER1 to an LDAP server & retrieve data that the user does not have access to, but a second user (USER2) does. Effectively authentication should be USER1 but then data retrieval done using USER2 for authorization.

So far I've looked in to using OpenLDAP's 'meta' backend to set up a kind-of tunnel but can't seem to get the configuration right. Here's my config running on the meta server attempting to tunnel to SERVER1 (the real server).

database        meta
suffix          o=me
uri             "ldap://SERVER1/o=me"

And I've tried different variations around this bit but can't get anything that works. USER1 is the original low-priv user and USER2 is the escalated user.

idassert-bind   bindmethod=simple binddn="cn=USER2,o=me" credentials="secret" mode=none 
idassert-authzFrom "dn.exact:cn=USER1,o=me"

The 'test' case is this:

 ldapsearch -h METASERVER -D "cn=USER1,o=me" -W -x -b "ou=what,o=me" cn=somethinghidden