[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid Add operations allowed (ITS#2243)

>> All versions of openldap allow the creation of a dn with a cn
>> attribute even if the objectclass doesn't include a cn. For example, I
>> can add the following object without an error.

in RFC2251-6 I didn't find any esplicit mention of the fact
that an attr in the rdn MUST be present in the entry in type
or value.  However, in " 4.7. Add Operation" of rfc 2251 I see

   - attributes: the list of attributes that make up the content of the
     entry being added.  Clients MUST include distinguished values
     (those forming the entry's own RDN) in this list, the objectClass
     attribute, and values of any mandatory attributes of the listed
     object classes.  Clients MUST NOT supply the createTimestamp or
     creatorsName attributes, since these will be generated
     automatically by the server.

which means that slapd is not checking the consistency of an entry
when added.  It does when the rdn is modified (e.g. keeps the entry's
values in sync with those of the rdn).  I guess we need to enforce
this check at add.



Pierangelo Masarati