Hello,

Just for information, I’ve found the mechanism in OpenLDAP allowing integrators to do stupid things: overlays.

Apple has created a customer overlay for their own services and has recently added hardcoded value for specific request with specific attributes.

http://www.opensource.apple.com/source/OpenLDAP/OpenLDAP-499.27/OpenLDAP/ser...

I didn’t know that overlay was able to have deep control like that over LDAP request.

I can’t thanks you for this end since no one has ever mentioned that OpenLDAP has official hooking API on LDAP request but here is the solution for my problem and now I know how to fix it by my own, without waiting for a fix from Apple, just patching slapd, changing a condition in odusers_search function.

Best regards, Yoann