On 8/31/21 12:26, Howard Chu wrote:
Michael Ströder wrote:
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof" to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in the database but slapo-dynlist is supposed to compute 'memberOf' attribute values based on recently changed group membership?
Old static values are left untouched. They will be present in search results, and so may go stale over time if not deleted. I suppose dynlist could be changed to just omit any existing static values, but that's not what it does at present.
Thanks for the clarification.
Another question in this context:
Will using memberOf attribute in ACLs still work if slapo-dynlist computes the attribute values?
Ciao, Michael.