Several years ago the OpenLDAP project “deprecated” the `memberof` overlay with preference for the `dynlist` (dynamic lists) overlay. This was done in the `memberof` “man page” and is not, therefore, widely known or understood.
The `memberof` overlay lets deployments maintain group objects automatically, managing them based on *ismemberof* attributes in other entries (most often, user entries). The processing to maintain the groups is done during the update of the database, at “write” time. There is a fundamental problem dealing with the order of replication updates presented to Replica/Consumer servers receiving replication updates from others. While only triggering problems very rarely, it is known to be unsafe. The OpenLDAP Project has no plans to address these problems. An entirely new `autogroup` overlay will, when complete, replace `memberof` with very much the same function.
The `dynlist` overlay does something similar but it dynamically builds the group entries-list at “read” (query) time. This can be very useful in a wider range of use-cases and has received a lot of development attention and improvements since its introduction some years ago. However, since `dynlist` is dynamically building the response, there is significant processing done during the query and that has a performance impact, in certain cases, a very significant impact. `dynlist` is, at present, the only reliable technology for this function. Deployments with `memberof` should seriously consider switching over to `dynlist`, at least temporarily until `autogroup` is ready in 2.5 and 2.6.
Unfortunately, converting from `memberof` to `dynlist` is not a simple task. A `slapcat` dump must be modified first. Then, **The Cluster** has to have a database reload. This requires a maintenance window as `memberof` based servers can not replicate with `dynlist` based servers. Detailed instructions are being prepared.