Well, I can get the OpenLDAP proxy server working, but MacOS X likes to send queries for ALL attributes (that is, an empty attribute query, not even “*”).
Most of the queries that MacOS X sends at login are requesting “ALL” attributes, and there does not seem to be a way of specifying this in any attribute set in the OpenLDAP proxy cache. Thus, these queries aren’t cacheable without some code changes in OpenLDAP (or possibly in MacOS X). MacOS X (10.2) shows the following query templates on login:
…and a few other single instances for groups. The 14 queries of the first kind are what kill Sun ONE, and it would be very nice to have these cached on OpenLDAP. But the lack of a cacheable ALL query is problematic.
I have not yet investigated whether 10.3 changes this behavior at all. I have tried to find out whether there is any way to limit the searches to particular attributes in 10.2, but apparently there is no way. The LDAPv3 DirectoryServices plugin in 10.3 doesn’t look at all different from that in 10.2.
——
But there is now an Active Directory plugin for DirectoryServices. This may be of use, depending on exactly what kind of Active Directory communication it uses.
Posted by Rowan Littell at May 12, 2004 11:32 AM