HI!

I have a hybrid groupOfEntries/posixGroup object class, let's call it 'aeGroup'. It's supposed to serve the same group membership information to RFC2307 and RFC2307bis NSS clients.

I want to keep attributes group membership attriutes consistent by using the following constraint:

# restrict memberUID to be consistent with group membership defined in member constraint_attribute memberUID,member set "this/memberUID & this/member/uid" restrict="ldap:///dc=example,dc=com??sub?(objectClass=aeGroup)"

This does not work as expected. I suspect that the constraint is not applied to each value separately. Rather the constraint is true when any of the values fulfill the constraint rules.

Similar constraints cross-referencing values work pretty well for attributes only containing a single value.

Any clue?

(Yes, I'm already taking care of this in the admin UI web2ldap, but still I want to prevent inconsistent values for any writing LDAP client.)

Ciao, Michael.