On 8/31/21 12:14, Michael Ströder wrote:
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof" to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in the database but slapo-dynlist is supposed to compute 'memberOf' attribute values based on recently changed group membership?
At the end I will instruct the admins to reload databases especially to also save space. But it would be less operational stress if I could decouple the config change from the database re-load.
Hmm, first test (with filter memberOf=<group-dn>) shows that the 'memberOf' attribute values persisted in the database are preferred and thus changed group membership will not be reflected in the dyn-list generated 'memberOf' attribute values.
So one must reload the database right after applying the config change. Otherwise search results will not be as expected.
Ciao, Michael.