Probably you didn't understand how dynamic groups work. They are intended to check group membership, namely if a DN is in a group when the group is known and selected otherwise (e.g. by "DN" in the search base, or by "cn" or whatever in the search filter).
You can't put in the filter information that has to be generated dynamically, like dynamic group membership. Or, you could, but then any search would need to be split into:
- search the whole database for (objectClass=*) to trigger dynamic expansion of data; then - search the (at this point, unindexed) dynamically generated data. This could be implemented, but probably it's not what users want...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------