M. P. wrote:
Reading the man page, I saw memberof-refint option. From what I understand, when set to true, you can alter the user's "is member of" attribute and that would be reflected in the group's "member" attribute. Right ?
I read the man page differently: "memberof-refint true" preserves referential integrity for the 'member' attribute if the member entry is renamed. Normally one would use slapo-refint for that.
=> IMO the text seems a bit ambigous.
But, the member attribute is an operational attribute and can't be modified. So I started to search for an alternative and found the eduMember schema from here https://spaces.internet2.edu/display/macedir/OpenLDAP+eduMember. Once added to the installation I could use it for objects. It adds isMemberOf and hasMember attributes that can be setable for users and groups. But can't make it work with memberof overlay. When trying to add isMemberOf as memberof-memberof-ad it was rejected with
Wrong route...
Why do you want to change group membership by tweaking 'memberOf' anyway? Note that this would somewhat circumvent access control delegation on group entries. Hence you should always modify the group entries directly.
Ciao, Michael.