Hi,
short question first: Is overlay memberOf supposed to work with glued databases in any direction?
I tried with 2.4.28 and get the following results:
slapd.conf with two databases
1. step ------- This is simple. MemberOf overlay only in one database ou=groups,ou=foo,ou=bar (subordinated).
database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
database bdb suffix ou=bar ...
- created one inetOrgPerson object employeenumber=11,ou=groups,ou=foo,ou=bar - created one group ou=2,ou=groups,ou=foo,ou=bar with member: employeenumber=11,ou=groups,ou=foo,ou=bar => memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine.
=> no modifications in superior database ou=bar
2. step ------- overlay loaded in both databases
database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
=> modification in the subordinated database work in 1. step.
- created one inetOrgPerson object employeenumber=1,ou=bar - created one group ou=1,ou=bar with member: employeenumber=1,ou=bar => memberOf in employeenumber=1,ou=bar is set and unset just fine. memberOf is working in the superior database.
- setting group ou=1,ou=bar member: employeenumber=11,ou=groups,ou=foo,ou=bar => memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine. Changes in groups of superior databases work in subordinate databases!
- setting group ou=2,ou=groups,ou=foo,ou=bar member: employeenumber=1,ou=bar => does _not_ work: memberof_value_modify DN="employeenumber=1,ou=bar" add memberOf ="ou=2,ou=groups,ou=foo,ou=bar" failed err=32 Changes in groups of subordinated databases do not work in the superior database!
3. step ------- setting "overlay glue" explicitly and removing overlay memberof from the subordinate database:
database hbd suffix ou=groups,ou=foo,ou=bar subordinate ...
database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
overlay glue
=> changes in the subordinated database are _not_ managed by the overlay. => changes in groups of superior databases work in subordinate databases and in the superior database!
3. step II ---------- if glue is located in slapd.conf before memberof (which is IMHO wrong) and MOD on member in a group in the subordinated database is send, slapd segfaults!
4. step ------- setting "overlay glue" explicitly and overlay memberof in both databases:
database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
overlay glue
=> like 2. step
So the best I get is - memberOf works in the database, where it is set - memberOf works for group changes in superior database on members in subordinated databases - memberOf does not work for group changes in subordinated databases to members in superior databases.
Is this the way it is supposed to work?
What I really wanted to achieve is to get memerOf to work between database (under glue) of the same level. (Like ou=1,ou=foo and ou=2,ou=foo both subordinated of ou=foo.) But while my testings above did not succeed, it did not tried.
Marc