On Mon, Apr 03, 2017 at 11:15:17AM -0700, Quanah Gibson-Mount wrote:

Looks like this has actually been reported before: http://www.openldap.org/its/index.cgi/?findid=7400

Yikes, from 2012, and never resolved 8-/. I'm curious though why Howard says the work has to be distributed to all the replicas locally as it wouldn't scale otherwise? For adding or removing a user from a group, replicating the memberOf attribute on the user in addition to the member attribute on the group only doubles the replication load which doesn't seem excessive. I suppose if you delete a group with a large membership that would result in updating a large number of users, but that's no different than if a delete a single user from a large number of groups, which doesn't seem to cause any issues. Unless I'm misunderstanding something?

In any case, I suppose this ITS can be closed now too, with the same resolution that the memberof overlay is no longer supported in a replicated configuration and to switch to the dynlist implementation...