https://bugs.openldap.org/show_bug.cgi?id=9805
--- Comment #2 from michael.bobzin@baloise.ch --- (In reply to Howard Chu from comment #1)
OpenLDAP 2.4 is no longer supported.
slapo-dynlist in OpenLDAP 2.5 supports nested groups, so there's no need to use autogroup at all.
Hello Howard,
thanks for the quick reply.
But I am not sure if the dynlist overlay alone is sufficient for our UseCase. Queries like this
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(cn=groupB)" member
work well. All dynamically generated members are returned.
But the query
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(member=cn=userx,ou=users,dc=basler,dc=ch)" dn
only worked (groupB was also returned as a hit), after we added the autogroup overlay. For this query, it seems to be important that the member attribute for userX is managed by autogroup in groupB. The members found dynamically by dynlist do not seem to work for this search.
Therefore, it is important for us to know why autogroup, when making adjustments to the attributes of userX deletes the member entry in groupB and what we can do to prevent it.
But we will first upgrade to 2.5 and repeat the test.
Regards Michael