Currently if an LDAPModify command wants to modify an attribute that is not retrieved from LDAP by default, we use (a variation of) the following:

            if 'objectclass' in entry_attrs:
                obj_classes = entry_attrs['objectclass']
            else:
                (_dn, _entry_attrs) = ldap.get_entry(
                    dn, ['objectclass']
                )
                obj_classes = _entry_attrs['objectclass']

This is not just ugly, it's also conceptually wrong. LDAPEntry keeps a copy of the previous state, and uses that to generate modlists. Luckily, sticking in attributes that were not loaded before generates correct modlists, they're just longer than necessary.

To simplify plugin code and prevent unnecessary LDAP queries and modlist entries, we should:

• Implement some kind of LDAPEntry.load_attrs() that would correctly load extra attributes into an existing LDAPEntry.
• Allow the baseldap Commands to specify a list of extra attributes that are always to be loaded (and consolidate the attrlist generation that's now copy+pasted in about 8 places).
• Possibly have the list of loaded attributes depend on the options (e.g. host_mod needs objectclass if changing macaddress, krbprincipalname, ipasshpubkey or krbticketflags)