In this release of eDirectory, you should use LDAP to manage Dynamic Group objects. There are no ConsoleOne snap-ins available with eDirectory 8.6.1 to manage dynamic groups. Also, third-party products such as Netscape's admin console cannot be used to manage Novell eDirectory dynamic groups because the schema and the functionality provided differs from Netscape's implementation.
The memberQueryURL attribute is defined as a multi-valued attribute to enable future enhancements, but in eDirectory 8.6.1, only the first value of the multi-valued attribute is used for the dynamic member expansion. To avoid confusion, set only one value for the memberQueryURL attribute, and use the "replace:" option instead of "add:" to specify a query URL value for the memberQueryURL attribute.
Referential integrity is not supported for distinguished names embedded in the memberQueryURL attribute. If a dynamic group object is created in a tree and the treeName or the search baseDN changes subsequently, the dynamic members will not be visible. You can correct this by reading the memberQueryURL attribute and correcting the treeName or the baseDN. The same thing applies for attribute names or class names that are in the search filter and subsequently removed.
A dgIdentity attribute on the Dynamic Group object can be set to the distinguished name of an entry whose credentials and rights should be used to expand the dynamic members of the group. The dgIdentity entry should always be chosen so that it is on the same partition as the Dynamic Group object. If it is not on the same partition, the dynamic members will not be visible. If no dgIdentity attribute is specified, the expansion of dynamic members will bind as public (anonymous). In that case, [Public] should at least have Read/Compare rights on all the attribute that occur in the search filter in the memberQueryURL, and also have Browse rights under the baseDN specified in the memberQueryURL.
If Dynamic Group objects are created on a pre-eDirectory 8.6.1 server, either by extending the schema to the eDirectory 8.6.1 schema or by adding the server to a tree that contains eDirectory 8.6.1 servers, the Dynamic Group object will be created but its dynamic members will not be visible on the pre-eDirectory 8.6.1 server. If the server is subsequently upgraded to eDirectory 8.6.1, the dynamic members will still not be visible until the Dynamic Group objects are upgraded.