[Issue 9805] New: member attributes managed by autogroup are lost when user attributes are adjusted

https://bugs.openldap.org/show_bug.cgi?id=9805

Issue ID: 9805 Summary: member attributes managed by autogroup are lost when user attributes are adjusted Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs@openldap.org Reporter: michael.bobzin@baloise.ch Target Milestone: ---

Hello OpenLDAP Team,

we use nested groups in our OpenLDAP directory. User X is a member of group A. Group A is a member of group B. User X is therefore also a member of group B.

To be able to find out all groups of user X with only one LDAP query we use the dynlist overlay together with the autogroup overlay.

Group B is a dynamic group whose member attributes are set with autogroup, to allow a search for members.

ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(member=cn=userx,ou=users,dc=basler,dc=ch)" dn

Result:

cn=groupA,ou=groups,dc=basler,dc=ch cn=groupB,ou=groups,dc=basler,dc=ch

----- Gruppe A ---------------------------------------------------------- dn: cn=groupA,ou=groups,dc=basler,dc=ch cn: groupA objectClass: top objectClass: groupOfNames

member:cn=userX,ou=users,dc=basler,dc=ch

----- Gruppe B ---------------------------------------------------------- dn: cn=groupB,ou=groups,dc=basler,dc=ch cn: groupB objectClass: top objectClass: groupOfURLs

memberURL: ldap:///ou=groups,dc=basler,dc=ch?member?one?(cn=groupA) # managed by autogroup member:cn=userX,ou=users,dc=basler,dc=ch ----------------------------------------------------------------------- This works until any attribute in the userX object is changed. The member attribute for userX created dynamically by autogroup is then deleted from groupB although userX is still a member of groupA and is therefore matched with the search in the memberURL attribute of groupB matched.

The expected behaviour would be that the member attribute in groupB remains unchanged.

----------- configuration -------------------------- OpenLDAP 2.4.59 from https://www.ltb-project.org/download.html

--------------- slapd.conf ------------------------- ... moduleload dynlist moduleload autogroup.so ... include /usr/local/openldap/etc/openldap/local-schema/dyngroup.schema ... overlay dynlist dynlist-attrset groupOfURLs memberURL

overlay autogroup autogroup-attrset groupOfURLs memberURL member