https://bugs.openldap.org/show_bug.cgi?id=10019
--- Comment #2 from msl@touk.pl --- (In reply to Howard Chu from comment #1)
The discrepancy between your app behavior and ldapsearch commandline behavior implies that you're not accurately describing what your app does. Also, if there is an ACL configuration issue, it's not helpful for you to omit the 13 other ACL rules in your config.
If you want anyone to actually have a chance of diagnosing your problem, you need to be able to provide a complete minimal configuration that demonstrates it. I suggest you start by using the configs used in the test suite itself.
Sorry for somewhat confusing report, I should have split it into 2 separate ones as these are (were) somewhat distinct.
I did some more digging:
1) regarding anonymous bind access
I forgot to grant entryDN access. So that's on me (side-effect of switching do dynlist, as the memberof overlay of course didn't need that). After re-reading the man page it was indeed mentioned there.
2) regarding dynlist not triggering its functionality
This took me a bit more time to connect the dots - after shortcutting acls to '{0}to * by * manage' and enabling 'acl' logging - the issue turned out to be manageDSAit, after seeing that dynlist internal searches were not triggered. So updating the configs wherever we are using memberof fixed the issues.
Anyway perhaps there is a room for small improvement - wouldn't it be possible/better to have the static membership functionality always work - regardless of manageDSAit - as technically it's not needed for this part as no explicit URLs are actually involved ?
Other than that sorry for the noise.