Prior to client 4.91 SP2 the LDAP contextless login module never looked
for aliases. The search filter used was:


With 4.91 SP2 the filter is now:

(&(|(objectClass=inetOrgPerson)(objectClass=aliasO bject))(|(cn=username)))

With our tree design this causes the user to be presented with a choice
of the real user object as well as several aliases (same cn, different
context). It won't matter what they choose (they will always log in
successfully), but it would be a usability disaster for our site (and I
guess many other) if we roll this out.

There is no option to control this behavior and I was unable to find any
documentation about this change.

Does anybody have any ideas or some other useful information?