[Date Prev][Date Next]
Re: openldap entry modification
daniel rahmeh wrote:
I have a question concerning the best method to modify an entry (in
openldap) using a programming API like php.
php offers the ability to modify an entry using some fucntions like
ldap_modify, ldap_mod_add, ldap_mod_del. sometimes it's complicated to
use these functions, in this case, developpers use another approach,
which is deleting the entry and then add it with the new attributes
What do you mean with complicated?
my question is: is it fine to delete an entry and re-add it?? does
this affect the performance of openLDAP?
I consider this to be bad practice:
1. A new entry gets a new entryUUID which definitely leads to a new
entry being replicated. Note that some other legacy sync mechanisms
might also rely on entryUUID being constant for a given entity
represented by the entry.
2. The directory server might do some other things hidden to the
application with other operational attributes (e.g. MS AD). This might
lead to user accounts being deactivated when being re-added etc.
In python-ldap there is a function ldap.modlist.modifyModlist() which
generates a diff (list of modifications) of an old an a new entry which
can be passed to method LDAPObject.modify(). Maybe something like this
could be implemented in PHP to make it more easier.