Howard Chu wrote:
Given that the deref overlay isn't even documented and is
probably used by
only a handful of OpenLDAP developers I don't believe it even merited a CVE
Hmm, not sure. Arthur de Jong implemented support for this control in
nss-pam-ldapd a year ago  and IIRC also discussed it on the
openldap-technical mailing list.
2014-01-05 Arthur de Jong <arthur(a)arthurdejong.org>
* [c6c317e] : Implement deref control handling
This uses the LDAP_CONTROL_X_DEREF control as described in
draft-masarati-ldap-deref-00 to request the LDAP server to
dereference group member attribute values to uid attribute values.