M. P. wrote: > I'm not sure I understand "user modification requests" well. By user, do you > mean the person who manipulate the directory or an object of "type" user ? This term is used for normal LDAP modify requests coming from a LDAP client external to slapd. > If I have memberof overlay activated and it changes the uid's memberof > attribute, isn't it a user modification request (by memberof overlay) ? Every modification done by an overlay is internal. > I've tested refint another way. I removed the user (identified by uid) from > the directory. > When the user is deleted, refint_nothing works and replaces the last member > with the placeholder (I also have some debug information in logs). I thought > that refint_nothing would also work when a modification is done on one of > refint attributes. In this case slapo-refint's own modification is internal and therefore refint_nothing applys. But it does apply when the modification comes from an external LDAP client. Thinking about the empty-groupOfNames-problem some more I consider to define a cn=dummy value to be always present in groupOfNames entries and apply val-based ACLs to make it invisible and unremovable for normal clients (even the ones maintaining the groups). Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature