On 8/31/21 12:26, Howard Chu wrote: > Michael Ströder wrote: >> It's easy to change the config of OpenLDAP 2.5 from "overlay memberof" >> to "overlay dynlist" and it just works. Nice. :-) >> >> But the existing database then still contains the 'memberOf' attribute >> values. >> >> Ideally one should reload the database. But if anything fails: >> >> Does it do any harm if 'memberOf' attribute values are still present in >> the database but slapo-dynlist is supposed to compute 'memberOf' >> attribute values based on recently changed group membership? > > Old static values are left untouched. They will be present in search results, > and so may go stale over time if not deleted. I suppose dynlist could be > changed to just omit any existing static values, but that's not what it > does at present.
Thanks for the clarification. Another question in this context: Will using memberOf attribute in ACLs still work if slapo-dynlist computes the attribute values? Ciao, Michael.
