Dynamic Group overlay with ldapsearch for uniquemember oddity

[Michael . Heep]

Hi list,

I'm trying to use the dyngroup overlay for dynamic group memberships, 
therefor I got the following slapd.conf settings:
# Dynlist overlay to dynamically add members to groups through memberURLs  
 
overlay dynlist
dynlist-attrset         extensibleObject memberURL uniqueMember

Then I have the following person and group entries in my directory:
dn: uid=root,ou=Tomcat_Users,dc=o2online,dc=de
userPassword: <xxx>
description: Tomcat Manager User
sn: root
cn: root
uid: root
objectClass: person
objectClass: uidObject
objectClass: top

dn: cn=manager,ou=Tomcat_Roles,dc=o2online,dc=de
uniqueMember: cn=avoids,dc=schemaviolation
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de
cn: manager
objectClass: groupOfUniqueNames
objectClass: extensibleObject
objectClass: top
memberURL: ldap:///ou=Tomcat_Users,dc=o2online,dc=de??one?(uid=root)

dn: cn=admin,ou=Tomcat_Roles,dc=o2online,dc=de
cn: admin
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de

As you can see the admin and manager groups have both the uid=root user as 
a uniqueMember, once statically, once dynamically.

Issueing the following ldapsearch I'd expect it to both group entries:
ldapsearch -b "ou=Tomcat_Roles,dc=o2online,dc=de" -D "<rootdn>" -H 
ldap://<ip> -WxZZLLL 
"(uniqueMember=uid=root,ou=tomcat_users,dc=o2online,dc=de)"
Enter LDAP Password: 
dn: cn=admin,ou=Tomcat_Roles,dc=o2online,dc=de
cn: admin
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de

As you can see it only returns the admin group where the member was set 
statically. It's clearly no ACL issue since i used the rootdn to bind.
I don't think this behavior is entirely correct, because whith an 
ldapcompare for uniquemember: uid=root... works perfectly fine.
Regretably Tomcat issues searches in the form of the above ldapsearch 
command instead of ldapcompare and I'd love to use authentication there 
with dynamic groups to minimize administration time.

Any suggestions?

Thanks and kind regards,
Michael Heep