(ITS#4443) ldapsearch for dyngroup members does not work

[michael.heep@o2.com]

Full_Name: Michael Heep
Version: 2.3.20
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (62.180.31.25)


I'm trying to use the dyngroup overlay for dynamic group memberships, therefor I
got the following slapd.conf settings:
# Dynlist overlay to dynamically add members to groups through memberURLs       
 
overlay dynlist
dynlist-attrset         extensibleObject memberURL uniqueMember

Then I have the following person and group entries in my directory:
dn: uid=root,ou=Tomcat_Users,dc=o2online,dc=de
userPassword: <xxx>
description: Tomcat Manager User
sn: root
cn: root
uid: root
objectClass: person
objectClass: uidObject
objectClass: top

dn: cn=manager,ou=Tomcat_Roles,dc=o2online,dc=de
uniqueMember: cn=avoids,dc=schemaviolation
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de
cn: manager
objectClass: groupOfUniqueNames
objectClass: extensibleObject
objectClass: top
memberURL: ldap:///ou=Tomcat_Users,dc=o2online,dc=de??one?(uid=root)

dn: cn=admin,ou=Tomcat_Roles,dc=o2online,dc=de
cn: admin
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de

As you can see the admin and manager groups have both the uid=root user as a
uniqueMember, once statically, once dynamically.

Issueing the following ldapsearch I'd expect it to both group entries:
ldapsearch -b "ou=Tomcat_Roles,dc=o2online,dc=de" -D "<rootdn>" -H ldap://<ip>
-WxZZLLL "(uniqueMember=uid=root,ou=tomcat_users,dc=o2online,dc=de)"
Enter LDAP Password: 
dn: cn=admin,ou=Tomcat_Roles,dc=o2online,dc=de
cn: admin
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de

As you can see it only returns the admin group where the member was set
statically. It's clearly no ACL issue since i used the rootdn to bind.
I don't think this behavior is entirely correct, because whith an ldapcompare
for uniquemember: uid=root... it works perfectly fine.