I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it.
It appears that subtree renames and the memberOf plugin are not handled correctly. That is:
I create cn=ldaptestuser4,cn=ldaptestcontainer,DC=samba,DC=example,DC=com
I add it to a group:
dn: cn=ldaptestgroup2,cn=users,DC=samba,DC=example,DC=com changetype: modify add: member member: cn=ldaptestuser4,cn=ldaptestcontainer,DC=samba,DC=example,DC=com
Then I rename the container CN=ldaptestcontainer,DC=samba,DC=example,DC=com into CN=ldaptestcontainer2,DC=samba,DC=example,DC=com
However, when I search:
[abartlet@naomi source]$ bin/ldbsearch -H st/dc/private/sam.ldb "cn=ldaptestgroup2" # record 1 dn: CN=ldaptestgroup2,CN=Users,DC=samba,DC=example,DC=com member: cn=ldaptestuser,cn=useRs,dc=samba,dc=example,dc=com member: cn=ldaptestcomputer,cn=computers,dc=samba,dc=example,dc=com member: cn=ldaptestuser2,cn=users,dc=samba,dc=example,dc=com member: cn=ldaptestuser4,cn=ldaptestcontainer,dc=samba,dc=example,dc=com
[abartlet@naomi source]$ bin/ldbsearch -H st/dc/private/sam.ldb "cn=ldaptestuser4" # record 1 dn: CN=ldaptestuser4,CN=ldaptestcontainer2,DC=samba,DC=example,DC=com cn: ldaptestuser4 memberOf: cn=ldaptestgroup2,cn=users,dc=samba,dc=example,dc=com
The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating.
Andrew Bartlett