On 8/31/21 12:14, Michael Ströder wrote: > It's easy to change the config of OpenLDAP 2.5 from "overlay memberof" > to "overlay dynlist" and it just works. Nice. :-) > > But the existing database then still contains the 'memberOf' attribute > values. > > Ideally one should reload the database. But if anything fails: > > Does it do any harm if 'memberOf' attribute values are still present in > the database but slapo-dynlist is supposed to compute 'memberOf' > attribute values based on recently changed group membership? > > At the end I will instruct the admins to reload databases especially to > also save space. But it would be less operational stress if I could > decouple the config change from the database re-load.
Hmm, first test (with filter memberOf=<group-dn>) shows that the 'memberOf' attribute values persisted in the database are preferred and thus changed group membership will not be reflected in the dyn-list generated 'memberOf' attribute values. So one must reload the database right after applying the config change. Otherwise search results will not be as expected. Ciao, Michael.
