As taken from elsewhere on this list:

The primary issue is that if a server goes into REFRESH mode, the order in which the entries are sent back may not allow the slapo-memberOf overlay to rebuild the groups correctly.

Details:

https://bugs.openldap.org/show_bug.cgi?id=8613

For dynlist:

Take the latest 2.5/2.6

Remove the memberOf overlay,

load and enable the dynlist overlay on your nodes

Set dynlist-attrset according to your member/group naming.

Example:

dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames*

On Fri, Apr 19, 2024, 16:46 BECOT Jérôme <jbecot@itsgroup.com> wrote:

Hello !

I have few questions regarding replication. I'm doing partial replication on plain replication by limiting the syncrepl user permissions in the ACL. It works well. Is it supported ? Would it work with a delta-sync replication ?

Another thing I've been told about is about memberOf overlay. My colleague told me that replication may fail when memberOf is enabled on consumers, mainly because sometimes the group is replicated before the user and memberOf would create an entry if a search is made on the user not yet replicated. Have you some insights about this behaviour that I have not met yet ?

Regards