Currently I have a Directory Proxy 22.214.171.124.0 instance configured to provide an LDAP view to a backend Directory Server 126.96.36.199.0 instance.
When performing an ldapsearch on certain entries, (groups, netgroups) and if I specify certain attributes to be returned in the ldapsearch, then I don't get anything returned.
$ ldapsearch -b dc=example,dc=com -h localhost -p 1389 cn=mynetgroup
But if I specify only the nisnetgrouptriple attribute, then nothing is returned.
$ ldapsearch -b dc=example,dc=com -h localhost -p 1389 cn=mynetgroup nisNetgroupTriple
This Solaris system is also cliented to the directory proxy and I can do a ldaplist passwd username and it works, but if I specify ldaplist group groupname then I get Object not found.
If I point the client to the directory server, bypassing the proxy, then everything works as expected.
Hopefully it's just something obvious I am overlooking in the configuration. I don't see anything in the error logs.
For the entries that exhibit this behavior (net groups, group of unique names) if an attribute is specified in the ldap search than it doesn't return anything. I can search for posixAccounts and specify attributes in the ldapsearch and it doesn't exhibit this behavior.
I would recommand to look at the DPS and DS access logs and compare the requests. For information, requests received by DPS are tagged as 'OPERATION' ; requests forwarded to the directory server are tagged as 'SERVER_OP'. The 2 requests should be identical if you dont use any virtualization features.
My 2 cents