Proxy server does not support subtree based search for ibm-allgroups

Resolving The Problem

Search requests with 'sub' (a.k.a subtree) scope and requesting the ibm-allgroups attribute against proxy server will receive "DSA unwilling to perform" return code. This is working as designed.

The task can be accomplished by changing the scope to 'base' on the user entry DN,

Example: The following examples demonstrates the command line methods to observe and resolve this problem.
LDAP searches that receive "DSA unwilling to perform" return code;

1) idsldapsearch -D <BindDN> -w <BindPW> -b <suffixDN> -s sub <filter>  ibm-allgroups
ldap_search: DSA is unwilling to perform

e.g.:
# idsldapsearch -D cn=root -w pw -s sub -b o=sample "cn=eddie*" ibm-allgroups
ldap_search: DSA is unwilling to perform

2) idsldapsearch -D <BindDN> -w <BindPW> -b <suffixDN> <filter>  ibm-allgroups
ldap_search: DSA is unwilling to perform

e.g.:
# idsldapsearch -D cn=root -w pw -b o=sample "objectclass=*" ibm-allgroups
ldap_search: DSA is unwilling to perform


LDAP search combination that works:

a) idsldapsearch -D <BindDN> -w <BindPW> -b <suffixDN> -s sub <filter> dn
   idsldapsearch -D <BindDN> -w <BindPW> -b <UserDN> -s base <filter> ibm-allgroups

e.g.:
# idsldapsearch -D cn=root -w pw -s sub -b o=sample "cn=eddie*" dn

cn=Eddie Catu,ou=In Flight Systems,ou=Austin,o=sample

# idsldapsearch -D cn=root -w pw -s base -b "cn=Eddie Catu, ou=In Flight Systems, ou=Austin, o=sample" "cn=eddie*" ibm-allgroups

cn=Eddie Catu,ou=In Flight Systems,ou=Austin,o=sample
ibm-allgroups=CN=BOWLING TEAM,OU=GROUPS,O=SAMPLE



Note: Please note that this restriction is only for the TDS server instance running as Proxy server and for ibm-allgroups . The search will work well with the direct TDS server instances running as back ends.