I want to update a group when a change is made to a user's corresponding attribute--adding a value, deleting a value or changing a value.

I have a handful of groups (which could grow in the future)--call them Fin and HR. Membership in a group means a user is to be authorized to use that application. A multi-value attribute (call it appflag) with values like Fin or HR indicates which app and group.

With code similar to the following, I can find all of an app's users...using Net::LDAP---

$result = $ldap->search (
   base => "dc=chocolates,dc=com",
   filter => "appflag=HR",
   attrs => ['dn']);
[download]

Using this result, I want to replace all of the dn's in the group.

I expect to have one update routine per group.

I'd prefer not to use the changelog (Sun Directory Server).

And no, it's not possible for us to authorize using the attribute.

TIA!!