Dear list members,

I have been trying to get the memberof overlay to work properly on slapd 2.4.19 on an Ubuntu hardy (8.04.3).

After realizing (which took a while hehe) that installing OpenLDAP via apt-get wouldn't allow me to enable modules/overlays, I downloaded the source and built it manually with:

./configure --enable-overlays --enable-accesslog --enable-auditlog --enable-collect --enable-constraint --enable-dds --enable-deref --enable-dyngroup --enable-dynlist --enable-memberof --enable-ppolicy --enable-proxycache --enable-refint --enable-retcode --enable-rwm --enable-seqmod --enable-syncprov --enable-translucent --enable-unique --enable-valsort --enable-modules --with-tls

(I wanted to be on the safe side so I kinda enabled everything)

The server is now set up and running (with TLS and all, but I guess that's not important here). To activate the wanted overlay, I have (on my slapd.conf):

modulepath /usr/local/etc/openldap/overlays/ moduleload memberof.la overlay memberof

(the path is correct and I have checked the logs to make sure he was paying attention to those fields).

Anyway, I starting making some experiences, and at first it seemed to be working fine. But some test cases later, the memberOf value started being incorrect, when comparing to the member attribute of the groups.

Here's how to reproduce my scenario (I just tried it again, with a new database, base DN being dc=ipfn,dc=ist,dc=utl,dc=pt):

First, run init.ldif (attached), which creates the usual groups and people OU's, creates 2 users followed by 2 group with one user per group.

So far so good, if I make a ldapsearch based on ou=people (...) and ask for the memberOf attribute, I get:

dn: ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt memberOf: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt memberOf: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

----------------------------------------

Next, I run modify.ldif (also attached) which changes the member attribute of the admin group from "cn=Daniel Gomes (...)" to "cn=John Smith (...)". We can then see that:

dn: ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt objectClass: organizationalUnit ou: groups

dn: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt objectClass: groupOfNames cn: admin description: For administrators member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt objectClass: groupOfNames cn: users description: For users member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

----------------------------------------------

Meaning, the group was successfully modified, but the previous query returns the same value:

dn: ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt memberOf: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt memberOf: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

-----------------------------------------

This seems to happen only when deleting users from groups. I have tried with and without the refint overlay, if that matters for anything.

Anyway, I do not see anything I can be doing wrong, so it does seem to be a bug. If I could get some info on this, I would appreciate it!

Cheers,