I'm confused! :)

I've got a dynamic group in OpenLDAP:

dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))

When I search for it, it gets expanded (the dynlist module is set up correctly):

$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'cn= DynamicGroup'
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
member: cn=User One,ou=People,dc=MyDomain
member: cn=User Two,ou=People,dc=MyDomain

Brilliant. Exactly what I'd expect.

However, if I search on it by member I get nothing!

$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=cn=User One,ou=People,dc=MyDomain' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers

dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers

But, no cn: DynamicGroup ! :(

Nothing! :(

Does anyone have an hint for me as to why that might not be working?

Update:

I thought that it might be that the member attribute was not formally mentioned in the dynlist schema. I've added it, but it still doesn't work:

dn: cn={6}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {6}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I
 dentifies an URL associated with each member of a group. Any type of labeled
 URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use
  when processing the memberURL' SUP distinguishedName SINGLE-VALUE )
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza
 tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a
 uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S
 TRUCTURAL MUST cn MAY ( member $ memberURL $ businessCategory $ description $
  o $ ou $ owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY
  ( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 997a529e-a081-1033-8148-81c0722e60ba
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140715153657Z
entryCSN: 20140715153657.339934Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140715153657Z

It looks like from an attribute search perspective the member attribute either isn't matching, or it's doing the search prior to the dynlist expansion:

root@auth-new:/vagrant/LDAP# /usr/bin/ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=*' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers

dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers

Update: using an auto group it now works:

dn: olcOverlay=autogroup,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutomaticGroups
olcOverlay: autogroup
olcAGattrSet: {0}groupOfURLs memberURL member
olcAGmemberOfAd: memberOf

The dynlist overlay doesn't implement the feature you're looking for. You're correct about the expansion happening later than the search filter. See for example the thread starting at http://www.openldap.org/lists/openldap-software/200708/msg00250.html

You may want to look at the contributed autogroup overlay, which maintains membership info in the database (where it can be searched and filtered) but updates it automatically when needed.