[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Flaw in design about how delete's are handled (ITS#2425)

--On Sunday, April 06, 2003 11:56 AM -0700 "Kurt D. Zeilenga" 
<Kurt@OpenLDAP.org> wrote:

> At 10:36 PM 4/5/2003, quanah@stanford.edu wrote:
>> Full_Name: Quanah Gibson-Mount
>> Version: 2.1.16
>> OS: Solaris 8
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (
>> There is a major flaw in the way in which OpenLDAP handles modifies and
>> deletes of attributes.  If there is no defined matching rule, it is
>> impossible to add multiple instances of multi-valued attributes,
> Per X.501(93), if there is no equality matching rule, no comparisons
> can be done.  The client should not attempt to individually add/delete
> values when there is no matching rule as that requires the server to
> do comparisons and as such is not possible, causes the error to be
> returned.  It should use replace instead.
>> and there is no way to delete
>> specific instances of a given attribute that has no matching rule.
> Per RFC 2251, clients are explicitly prohibited from issuing
> deletes of single values when there is no equality rule, they
> are to use replace instead.  While not explicitly stated,
> clients are prohibited from issuing adds of single values to
> an existing attribute when there is no equality rule, they
> are to use replace instead. (The latter should be added
> to LDAP technical specification is revised by the IETF.)
>> This
>> presents particular problems when trying to build programs with which to
>> write changes into the OpenLDAP directory system.  To get such a program
>> to work, it has to know which attributes to treat as special, which adds
>> unneccesary layers/levels of complexity to a program that should not
>> need that logic built into it.
> Simply put, applications which modify the directory should be
> schema aware.

They should be aware to the extent of knowing what attributes they can 
write to.  I still do not see in your statements how one is supposed to 
create multiple values for a multi-valued attribute with no matching rule, 
only replace a single value with a new value.  And again, you can only 
delete a single value.  Personally, I think attributes without matching 
rules are somewhat broken in and of themselves.  However, given that things 
like facsimileTelephoneNumber don't have a defined matching rule (even 
though it is a telphone number), it is something to be dealt with.


Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html