josemarcodelarosa@gmail.com wrote:
Yes, you are completely right. The only reason I can think of using the DN version is because you are forced by your schema (attribute types for the expansion source attribute differ). I emphasize that the implementation of both is quite different. The DN version uses recursivity while the URL version relies in slapd's search-reply mechanism. I just added the first one as an example.
URL version is much more powerful and more elegant. You suggested subGroupURL: ldap:///<dn>??base, but even subGroupURL: ldap:///<dn> works ok (if I remember right).
According to Section 3 of RFC 4516, if <scope> is omitted, a scope of "base" is assumed.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------