Bug 536703 - Don't send empty mod to AD for mapped DN values

When using winsync, setting a mapped DN attribute (such as seeAlso) to
a DN outside the scope of the sync agreement causes an empty modify
operation to be sent to AD.  This causes AD to respond with LDAP error
89, which triggers the update to abort.

The problem is that windows_update_remote_entry() uses a flag to
determine if it has a modify to send to AD.  This flag is set by
windows_generate_update_mods(), but the mods are empty since it is
detecting that the DN used in seeAlso is not in the scope of the sync
agreement.

The fix is to only set the modify flag if we actually have mods to send.

ldap/servers/plugins/replication/windows_protocol_util.c

@@ -3818,7 +3818,11 @@ windows_generate_update_mods(Private_Repl_Protocol *prp,Slapi_Entry *remote_entr
 						slapi_mods_add_mod_values(smods,LDAP_MOD_ADD,local_type,valueset_get_valuearray(vs));
 					}
 				}
-				*do_modify = 1;
+
+				/* Only set the do_modify flag if smods is not empty */
+				if (slapi_mods_get_num_mods(smods) > 0) {
+					*do_modify = 1;
+				}
 			}
 		}