As requested, I am splitting the long and unclear #8560 into several issues. This issue is about (thinking about) changing how to tell BindAuthenticator which attributes to fetch.
I've described the behaviour in #8726. It's potentially confusing, and somewhat unergonomic.
Better behaviour
Have a single method the user can call to say "fetch these attributes" which works regardless of authentication strategy.
How to get better behaviour
Reverting 6b436ff409969 fixes this too, I think: it would mean that calling setUserAttributes always works. (Cf. #8727.)
You can also make setUserAttributes always work without reverting that commit, by having setUserAttributes modify the userSearch field which BindAuthenticator inherits from its parent class. If you do that, mention it in the javadoc for setUserAttributes.
Comment From: rwinch
We cannot revert the behavior as it would break the reporter of that issue. We should instead consider allowing a strategy to be provided or customized.