--On Tuesday, March 29, 2022 12:35 PM +0200 Jean-Luc Bourguignon bourguijl@gmail.com wrote:
Hello Quanah,
Here is my configuration on both environments :
olcLimits: {1}group/groupOfNames/member="cn=Sailpoint Access,ou=Applications G roups,ou=Groups,ou=staff,o=mobistar.be" size.soft=unlimited size.hard=unlimi ted time.soft=unlimited time.hard=unlimited
Minor note, you can just put: size=unlimited time=unlimited as documented in the man page this covers both soft and hard.
and the content of the group
# Sailpoint Access, Applications Groups, Groups, staff, mobistar.be dn: cn=Sailpoint Access,ou=Applications Groups,ou=Groups,ou=staff,o=mobistar.be cn: Sailpoint Access objectClass: top objectClass: groupOfUniqueNames uniqueMember: uid=diams,ou=Test,ou=System,o=mobistar.be uniqueMember: uid=diamst,ou=Test,ou=System,o=mobistar.be
Your OLC Limits says that the objectClass your group is using is "groupOfNames" and the membership attribute is "member".
but your *actual* object is using "groupOfUniqueNames" and "uniqueMember". These clearly are not compatible statements.
Generally I would suggesting using groupOfMembers/member from rfc2307bis if you need to support empty groups. Either way, the group objectClass and membership attributes need to agree with what is actually being used.
Regards, Quanah