Handling of Modify and NULLs By LDAP Servers

["Graeme Joyce" <openldap-list@jade.co.nz>]

We are using the Netscape Directory SDK 3.0 for C, and have found
differences in the way that Netscape and OpenLDAP servers handle NULL
values, and the modification of entries.

1. According to the SDK documentation, a NULL value is interpreted in the
following way by the ldap_modify_ext_s routine when using a mod_op value of
LDAP_MOD_REPLACE:

"If you set a NULL value for the attribute (either by setting the mod_values
field to NULL, or by setting the mod_bvalues field to NULL when the mod_op
field contains LDAP_MOD_BVALUES), the attribute will be removed from the
entry."

This works as documented on a Netscape server. However, an OpenLDAP server
returns a "Protocol Error" in the same situation.

2. If ldap_modify_ext_s is used with a mod_op value of LDAP_MOD_DELETE to
delete a specific value from an attribute, a Netscape server will delete the
actual attribute when its last value has been deleted; however, an OpenLDAP
server retains the attribute even after its last value has been deleted. It
is necessary to issue a further LDAP_MOD_DELETE, with a value of NULL, to
delete the empty attribute from the server.

3. If ldap_modify_ext_s is used with a mod_op value of LDAP_MOD_ADD to add
an attribute that has a null value,
the Netscape server stores a null string ("") as the value, and a subsequent
call to ldap_get_values returns an array with a single value of "".

In the same situation, an OpenLDAP server stores no value at all in the
attribute, and a subsequent call to ldap_get_values returns NULL.

Can anyone confirm whether the OpenLDAP server is behaving as intended?

Many thanks,
Robin Arzoni
Aoraki Corporation, Christchurch, New Zealand
rarzoni@jade.co.nz