[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid Add operations allowed (ITS#2243)

> As I already say, Iplanet (and it's ancestor - Sun Directory Server)
> enforces such check at add. It even adds dn-forming attribute/value to
> entry if no values for this attribute is given.
> And I can say from my experience with it and with OpenLDAP,
> it's much easier to maintain base in consistent state
> when dn-forming attrs added to entry automatically when needed.
> Also I can say what RFC2251-6 doesn't disallow such operations
> at server side, altough it isn't requires that, so slapd _can_
> perform this and it still be rfc-compliant.
> I think best solution is adding a conf option, saying what to do
> when such add operation comes:

I'm not in favour of this.  The rule must be one, consisting
in the correct interpretation of the standard track.

> 	- accept operation - it's current behavor;

If we agree this is not correct, I'd dispose of this option

> 	- reject operation - btw, which error code must be returned?

In my opinion this is the best option, although I'm already hearing
weeps and cries "It worked until yesterday, why doesn't it work any
more?".  As for the error code, I propose constraintViolation,
although objectClassViolation would be an alternative.

> 	- add missing value (computed from entry DN)

This might be a safe default, at the cost of doing something
the user had not intended to.

I just committed code that implements the two last options
(the third is on by default, although I favor the second;
to enable the first, #define BAILOUT in servers/slapd/add.c)


Pierangelo Masarati