Re: (ITS#5312) ldapmodify(1) man page claims that "changetype:" not necessary

[h.b.furuseth@usit.uio.no]

Howard Chu writes:
>Hallvard B Furuseth wrote:
>> Changing the -devel thread's example a bit, I'd say 2.3 accepted one
>> dangerous bug, one unambigious but possibly misleading format (a modify
>> record both with and witout "add/delete/replace: attribute" lines), and
>> one safe format (changetype: modify but no add/delete/replace"):
>
> No. If you (foolishly or unluckily) have attributes in your schema named 
> "add", "delete", or "replace" then in <=2.3 you are completely hosed. There 
> are no unambiguous or safe cases in these malformed inputs.

Well, you'd have to use "add/delete/replace:".  ldapmodify only noticed
those keywords after "-", "dn:" and "changetype:" lines.to omit it.
to omit it.

But I agree those attribute names make things icky.  And they still do,
because "changetype:" is optional.  This LDIF:
  dn: dc=example,dc=com
  add: foo
  foo: bar
affects attr "foo" with ldapmodify, but "add" and "foo" with ldapadd.

The current change seems to me to require either too little or too much
RFC 2849 conformance in ldapmodify.  (Require the final "-" and it gets
stricter.)

>> OTOH it would be an LDIF-compatible extension to make the attribute
>> description in "attribute: value" optional after "add/replace/delete:
>> attribute".  Then one could omit the terminating "-" too.
>
> Likewise, this is unsafe.

Why so?  Treat a ": value" line followed by a "whatever:" line as if
there was a "-" line between.  "delete/replace: attr" not followed by
attribute value lines might need a "-" after it though.

-- 
Hallvard