Substrings in attributes - changing schemas

[Nick Milas <nick@eurobjects.com>]

Hi,

I store my DNS records in openldap (I use powerdns with ldap backend) 
and I am trying to use a search filter like: (aRecord=10.11.12.*) but it 
never produces results.

I noticed that aRecord is defined in dnsDomain schema (available in 
cosine.schema) and inherited in dnsDomain2 schema (which is used by 
powerdns, available here: 
http://www.linuxnetworks.de/pdnsldap/dnsdomain2.schema).

I came to the conclusion that the problem may be caused by the fact that 
aRecord (oid: 0.9.2342.19200300.100.1.26) in cosine.schema has no 
substring matching rule defined in schema:

   attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

I thought of modifying it in order to allow substring matching, like:

   attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
            EQUALITY caseIgnoreIA5Match
            SUBSTR caseIgnoreIA5SubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

Questions:

  1. Is the above logic correct, i.e. has the cause of the problem been
     identified correctly?
  2. Is there any other way we can search substrings of values in this
     (or other similar) attribute(s) without modifying the schema(s)?
  3. Can an LDAP administrator freely modify an organisation's
     schema(s) whenever it is deemed appropriate? Are there any risks
     by doing it? (I understand one should be cautious when upgrading
     openldap, and take care to "cascade" modifications to the upgraded
     version.)
     - AND/OR -
     Is there any process of "schema evolution" where LDAP server users
     provide feedback so that standard schema(s) are globally adapted
     to user request(s)?
     In the end: What is the easiest recommended way of using
     customized schema(s) in an organization?

Please advise.

Thanks in advance,
Nick