HI!
I'm experimenting to replace slapo-memberof to slapo-dynlist in Æ-DIR's slapd.conf.
Ok, basically it works but...
Æ-DIR trys hard to follow need-to-know-principle. This means that memberOf values are only made visible to clients which they have defined to be visible on.
Thus I have ACLs like this and which don't work for these clients (lines wrapped):
access to dn.subtree="ou=ae-dir" filter="(objectClass=posixAccount)" attrs=memberOf val.regex="^.+$" [..] by set.expand="(user/-1 | user/aeSrvGroup | user/-1/aeProxyFor) & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeSrvGroup)(aeStatus=0)(aeVisibleGroups=${v0}))]/entryDN" read [..] by * none
I'm aware that this is quite special. But is there any chance that something like this will be ever supported?
The alternative would be to implement an external update process for maintaining 'memberOf'. :-/
Ciao, Michael.