For the record - I've never liked the autogroup overlay. It's a fairly brute-force solution to what should be dynamic groups, making them into static ones. The limitation in dyngroup/dynlist about being unable to match member=foo filters is annoying, of course. But having worked thru a similar problem in the contrib/adremap overlay, the solution now is obvious - just use an additional search request, to find all of the dynamic groups in the scope (autogroup already does this once, at startup time) and then feed the filter attribute to each, one by one, doing the same evaluation that dyngroup's Compare handler already does. For sites with very large groups, dynamic groups are generally the right approach, for size/efficiency reasons. autogroup throws away any efficiency gains, but we can get them back. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/