Hi,
While discussing the possibility of using openldap in place of 389 directory in the FreeIPA project [1] the following technical detail was mentioned.
[1]: https://www.redhat.com/archives/freeipa-devel/2009-July/msg00333.html
According to the memberof overlay man page:
The memberof overlay to slapd(8) allows automatic reverse group memberā ship maintenance. Any time a group entry is modified, its members are modified as appropriate in order to keep a DN-valued "is member of" attribute updated with the DN of the group.
Does the memberOf overlay deal with nested membership? Or is it strictly a 1:1 relationship (forward pointer, reverse pointer)?
The 389 memberOf plug-in maintains reverse pointers for inherited membership which IPA takes advantage of.