The feature introduced in 2.3 [1] to map undefined attributes from proxies as "proxied" attribute descriptions enables searches with filters using attributes that have no local definition.
For example, given slapd with a back-ldap pointing to an Active Directory (AD) server, this features makes searches with a filter of "(samAccountName=login)" work with no extra configuration, and without explicitly adding samAccountName to local schema.
However, such searches will be passed on to the AD server only if a previous search result contained the attributes in question (samAccountName) and was not based on a filter containing the attribute. Otherwise, the filter is considered invalid and replaced with "(?=undefined)" in the logs, and passed to the AD server as "(!(objectclass=*))".
This means that the same search, on the same data, can return different results at different times, depending on whether or not a previous search had succeeded and returned given attribute (samAccountName).
Currently, we have worked around this problem by either: - running a bogus ldapsearch just after starting slapd, that returns this attribute - adding the attribute description to a local schema
What is the general opinion on working around this issue? Might there be a way to implement something that ensures this happens automatically? I'm thinking of delegating filter checking to proxied servers for ldap backends, or automatically fetching schemas from them... Any experience, ideas?
Thanks in advance. Best regards, Jonathan
[1]http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=3959