Hmm, thinking about this some more...

slapo-dynlist(5) says:

"dynamically added attributes do not participate in the filter matching phase of the search request handling."

This is a big drawback of slapo-dynlist rendering the work-arounds mentioned in ITS#8613 nearly useless.

I have to step back a bit: Why is 'memberOf' not replicated? I vaguely remember other issues:

https://www.openldap.org/its/index.cgi?findid=6915

https://www.openldap.org/its/index.cgi?findid=6766

https://www.openldap.org/its/index.cgi?findid=7710

But I wonder whether the real underlying issues might have been fixed in 2.4.x releases.

How much effort is it to try to replicate 'memberOf' attribute again?

Ciao, Michael.