While discussing the possibility of using openldap in place of 389
directory in the FreeIPA project  the following technical detail was
According to the memberof overlay man page:
The memberof overlay to slapd(8) allows automatic reverse group member‐
ship maintenance. Any time a group entry is modified, its members are
modified as appropriate in order to keep a DN-valued "is member of"
attribute updated with the DN of the group.
Does the memberOf overlay deal with nested membership? Or is it
strictly a 1:1 relationship (forward pointer, reverse pointer)?
The 389 memberOf plug-in maintains reverse pointers for inherited
membership which IPA takes advantage of.
Ubuntu Developer http://www.ubuntu.com