I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it. It appears that subtree renames and the memberOf plugin are not handled correctly. That is: I create cn=ldaptestuser4,cn=ldaptestcontainer,DC=samba,DC=example,DC=com I add it to a group: dn: cn=ldaptestgroup2,cn=users,DC=samba,DC=example,DC=com changetype: modify add: member member: cn=ldaptestuser4,cn=ldaptestcontainer,DC=samba,DC=example,DC=com Then I rename the container CN=ldaptestcontainer,DC=samba,DC=example,DC=com into CN=ldaptestcontainer2,DC=samba,DC=example,DC=com However, when I search: [abartlet@naomi source]$ bin/ldbsearch -H st/dc/private/sam.ldb "cn=ldaptestgroup2" # record 1 dn: CN=ldaptestgroup2,CN=Users,DC=samba,DC=example,DC=com member: cn=ldaptestuser,cn=useRs,dc=samba,dc=example,dc=com member: cn=ldaptestcomputer,cn=computers,dc=samba,dc=example,dc=com member: cn=ldaptestuser2,cn=users,dc=samba,dc=example,dc=com member: cn=ldaptestuser4,cn=ldaptestcontainer,dc=samba,dc=example,dc=com [abartlet@naomi source]$ bin/ldbsearch -H st/dc/private/sam.ldb "cn=ldaptestuser4" # record 1 dn: CN=ldaptestuser4,CN=ldaptestcontainer2,DC=samba,DC=example,DC=com cn: ldaptestuser4 memberOf: cn=ldaptestgroup2,cn=users,dc=samba,dc=example,dc=com The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part