[Date Prev][Date Next]
Re: Flaw in design about how delete's are handled (ITS#2425)
--On Sunday, April 06, 2003 11:56 AM -0700 "Kurt D. Zeilenga"
> At 10:36 PM 4/5/2003, email@example.com wrote:
>> Full_Name: Quanah Gibson-Mount
>> Version: 2.1.16
>> OS: Solaris 8
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (220.127.116.11)
>> There is a major flaw in the way in which OpenLDAP handles modifies and
>> deletes of attributes. If there is no defined matching rule, it is
>> impossible to add multiple instances of multi-valued attributes,
> Per X.501(93), if there is no equality matching rule, no comparisons
> can be done. The client should not attempt to individually add/delete
> values when there is no matching rule as that requires the server to
> do comparisons and as such is not possible, causes the error to be
> returned. It should use replace instead.
>> and there is no way to delete
>> specific instances of a given attribute that has no matching rule.
> Per RFC 2251, clients are explicitly prohibited from issuing
> deletes of single values when there is no equality rule, they
> are to use replace instead. While not explicitly stated,
> clients are prohibited from issuing adds of single values to
> an existing attribute when there is no equality rule, they
> are to use replace instead. (The latter should be added
> to LDAP technical specification is revised by the IETF.)
>> presents particular problems when trying to build programs with which to
>> write changes into the OpenLDAP directory system. To get such a program
>> to work, it has to know which attributes to treat as special, which adds
>> unneccesary layers/levels of complexity to a program that should not
>> need that logic built into it.
> Simply put, applications which modify the directory should be
> schema aware.
They should be aware to the extent of knowing what attributes they can
write to. I still do not see in your statements how one is supposed to
create multiple values for a multi-valued attribute with no matching rule,
only replace a single value with a new value. And again, you can only
delete a single value. Personally, I think attributes without matching
rules are somewhat broken in and of themselves. However, given that things
like facsimileTelephoneNumber don't have a defined matching rule (even
though it is a telphone number), it is something to be dealt with.
Senior Systems Administrator
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html