Dynamic groups are broken, but we need to investigate why and how to fix it. This is an important enhancement, as it is a common configuration.

By dynamic groups, we mean the user entry has an 'memberOf' attribute value for each group (as opposed to the group having a 'member' attribute value for each user). Below is a sample LDAP configuration:

dn: cn=mygroup,ou=groups,dc=example,dc=com
objectClass: group
ou: groups
cn: mygroup

dn: cn=jsmith,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
ou: users
cn: jsmith
memberOf: cn=mygroup,ou=groups,dc=example,dc=com

Note that the 'memberOf' attribute name may vary, and its value can be the full distinguished name (DN) or just the common name (CN) component. This customisation is required for full dynamic group support.