OpenLDAP изменяют участника, не позволяется

The RFC2307 aka "NIS" schema does not allow posixGroup to have member attributes – only memberUid; you can see for yourself in the nis.schema file, around line 175.

objectClass: posixGroup         (structural)
cn: users
gidNumber: 1000
memberUid: daywalker

If you want to use member and entry DNs when creating "system" (POSIX) groups, you will need to use the RFC2307bis schema, which changes posixGroup into auxiliary so that it could be used with either groupOfNames or groupOfMembers classes:

objectClass: groupOfMembers     (structural)
objectClass: posixGroup         (auxiliary)
cn: users
gidNumber: 1000
member: uid=daywalker,ou=people,dc=foo

For other purposes (LDAP-only groups), just groupOfNames or groupOfMembers should be enough.