ebackes@symas.com wrote:

Full_Name: Emily Backes Version: 2.4.25 OS: any URL: Submission from: (NULL) (76.88.107.46)

In recent OpenLDAPs (2.4.25 at least, but I haven't found exactly where it started), memberof interacts badly with accesslog.

See also: http://www.openldap.org/lists/openldap-technical/201104/msg00242.html

In a simple test case with a groupOfNames and two people, if you add a person to the group, memberOf should set their memberOf opeational attribute to point to the group. That works! But currently the accesslog db will only show the change for the memberof update and not the original group change.

I can confirm that.

Digging deeper, I found: [..] The changes are reaching accesslog, but don't make it into the logdb because their generated DNs based on reqStart match.

Ah, that explains it.

reqStart is generated with a generalizedTime stamp where the microseconds are an incrementing count based on o_tincr, but this does not seem to be incremented, or incremented enough.

It's not entirely clear why this is a problem now and not earlier.

Maybe it was always a problem. Because I've started the thread above before installing 2.4.25:

http://www.openldap.org/lists/openldap-technical/201103/msg00032.html

I had 2.4.24 or 2.4.23 installed back then.

This may be related to ITS#6766.

Seems similar and the group modification is the same like in cases where I observed the behaviour described in my postings.

Ciao, Michael.