Unknown objectClass in search filter alters the filter?

[Marius Flage <marius@flage.org>]

Hi!

How does OpenLDAP behave when it encounters a search filter with an
unknown objectClass? From what I've been able to gather, it translates
the search filter into (?objectClass=value), thus yielding the rest of
the search invalid. What can I do about this? Either just pass the
search as it is, or remove it altogether?

The reason I'm asking about this is that I'm setting up OpenLDAP as a
proxy for Active Directory. After months of researching I've discovered
that the problem lays exactly here - OpenLDAP alters the search filter
for object classes it knows nothing about.

Example:

(|
  (&
    (objectClass=group)
    (member=cn=username,ou=test,dc=example,dc=com)
  )
  (&
    (objectClass=groupOfNames)
    (member=cn=username,ou=test,dc=example,dc=com)
  )
  (&
    (objectClass=groupOfUniqueNames)
    (uniqueMember=cn=username,ou=test,dc=example,dc=com)
  )
  (&
    (objectClass=accessGroup)
    (member=cn=username,ou=test,dc=example,dc=com)
  )
  (&
    (objectClass=univentionGroup)
    (uniqueMember=cn=username,ou=test,dc=example,dc=com)
  )
)

Yields no entries. I've looked at the syslog (loglevel = 256) and I see
that the last two clauses have been "translated" into
"?objectClass=accessGroup" and "?objectClass=univentionGroup". But if I
then remove the last two clauses, like so...

(|
  (&
    (objectClass=group)
    (member=cn=username,ou=test,dc=example,dc=com)
  )
  (&
    (objectClass=groupOfNames)
    (member=cn=username,ou=test,dc=example,dc=com)
  )
  (&
    (objectClass=groupOfUniqueNames)
    (uniqueMember=cn=username,ou=test,dc=example,dc=com)
  )
)

... then I get the entries I want back. Problem here is that I'm unable
to alter the search filter, since this is generated by a 3rd-party app
that I can't change, so I need to fix my OpenLDAP to let this stuff pass
through.

Any idea?

- Marius