Proxied attribute descriptions initialization

[Jonathan Clarke <jclarke@linagora.com>]

The feature introduced in 2.3 [1] to map undefined attributes from
proxies as "proxied" attribute descriptions enables searches with
filters using attributes that have no local definition.

For example, given slapd with a back-ldap pointing to an Active
Directory (AD) server, this features makes searches with a filter of
"(samAccountName=login)" work with no extra configuration, and without
explicitly adding samAccountName to local schema.

However, such searches will be passed on to the AD server only if a
previous search result contained the attributes in question
(samAccountName) and was not based on a filter containing the attribute.
Otherwise, the filter is considered invalid and replaced with
"(?=undefined)" in the logs, and passed to the AD server as
"(!(objectclass=*))".

This means that the same search, on the same data, can return different
results at different times, depending on whether or not a previous
search had succeeded and returned given attribute (samAccountName).

Currently, we have worked around this problem by either:
- running a bogus ldapsearch just after starting slapd, that returns
this attribute
- adding the attribute description to a local schema

What is the general opinion on working around this issue? Might there be
a way to implement something that ensures this happens automatically?
I'm thinking of delegating filter checking to proxied servers for ldap
backends, or automatically fetching schemas from them... Any experience,
ideas?

Thanks in advance. Best regards,
Jonathan

[1]http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=3959
-- 
Jonathan Clarke

Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com