The openldap-techincal traffic Michael mentioned is almost certainly the same issue. In our case, yes this could have appeared as early as 2.4.23.
What I'm seeing now is that formerly memberof functioned with accesslog in a delta-syncrepl type environment by having each stage of replication (master, hub, replica, etc) run the overlay to supply the changes. It seems like originally only the group change went through and the overlay relied on reqStart collisions to prevent its internal operations from reaching the replication log. So: the recent change that exposed this was something that changed the order these things are applied and sent to accesslog. Changing memberof again to reveal only the group changes should probably a separate ITS, or perhaps a discussion (openldap-devel) on how we want it to work. As-is, the fix in git master breaks compatibility with configurations from prior releases. Emily Backes Symas - The LDAP Guys [email protected]
