[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Flaw in design about how delete's are handled (ITS#2425)

At 10:36 PM 4/5/2003, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: 2.1.16
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (
>There is a major flaw in the way in which OpenLDAP handles modifies and deletes
>of attributes.  If there is no defined matching rule, it is impossible to add
>multiple instances of multi-valued attributes,

Per X.501(93), if there is no equality matching rule, no comparisons
can be done.  The client should not attempt to individually add/delete
values when there is no matching rule as that requires the server to
do comparisons and as such is not possible, causes the error to be
returned.  It should use replace instead.

>and there is no way to delete
>specific instances of a given attribute that has no matching rule.

Per RFC 2251, clients are explicitly prohibited from issuing
deletes of single values when there is no equality rule, they
are to use replace instead.  While not explicitly stated,
clients are prohibited from issuing adds of single values to
an existing attribute when there is no equality rule, they
are to use replace instead. (The latter should be added
to LDAP technical specification is revised by the IETF.)

>presents particular problems when trying to build programs with which to write
>changes into the OpenLDAP directory system.  To get such a program to work, it
>has to know which attributes to treat as special, which adds unneccesary
>layers/levels of complexity to a program that should not need that logic built
>into it.

Simply put, applications which modify the directory should be
schema aware.