Another problem is that some ldap search ask for all LDAP attributes (*) while only using the cn. This is not optimal.
(from redmine: issue id 724, created on 2012-03-27, closed on 2012-03-29)