[Date Prev][Date Next]
Re: Invalid Add operations allowed (ITS#2243)
>> All versions of openldap allow the creation of a dn with a cn
>> attribute even if the objectclass doesn't include a cn. For example, I
>> can add the following object without an error.
in RFC2251-6 I didn't find any esplicit mention of the fact
that an attr in the rdn MUST be present in the entry in type
or value. However, in " 4.7. Add Operation" of rfc 2251 I see
- attributes: the list of attributes that make up the content of the
entry being added. Clients MUST include distinguished values
(those forming the entry's own RDN) in this list, the objectClass
attribute, and values of any mandatory attributes of the listed
object classes. Clients MUST NOT supply the createTimestamp or
creatorsName attributes, since these will be generated
automatically by the server.
which means that slapd is not checking the consistency of an entry
when added. It does when the rdn is modified (e.g. keeps the entry's
values in sync with those of the rdn). I guess we need to enforce
this check at add.