Re: Subtree renames and memberOf handling

Andrew Bartlett wrote:
> I perhaps should have flagged this earlier, but I wanted to actually
> have the test to prove it.


> The 'member' attribute on the group is wrong, most likely because such a
> subtree rename would never cause the memberOf module to fire and notice
> that this needs updating.

Yes, slapo-memberof(5) does not consider the possibility of a subtree
rename, and thus takes no care of it.  I believe at the time it was
implemented, this was not possible (in back-hdb), or not feasible (given
the impossibility to search portions of a DN-valued attribute):
slapo-memberof(5) was added to OpenLDAP sources August 2007, but
initially implemented for OpenLDAP 2.2.

I think this change should be relatively easy right now, as a DN-valued
can be searched with the dnSubtreeMatch rule to detect whether any
member/memberOf values need to be modified.

Please submit an ITS...


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it