Or operations that replace the values. But the attributeOrValueExists error is
not going to help here.
We have to distinguish various write operations in detail:
attributeOrValueExists (for MOD_ADD) and its counterpart noSuchAttribute (for
MOD_DELETE) solely helps if your modify request only contains *single*
attribute
values.
Not even in that case. E.g. see above. You will not get the error if you are
re-adding a group that was deleted just a millisecond ago just because the
network latencies haven't turned up in your favor.
So, the implication "error => something wrong happened" does not hold. And the
implication "something wrong happened => error" does not hold either. So, what
the error really says is:
"Hey there! Maybe something wrong happened. Or maybe not. It may all be OK.
There is no way to be sure. So forget it. I just wanted to talk to you. Sorry
to bother you. And, by the way, your operation failed. Just for fun. Try
something else. I won't tell you what. Go figure. Bye."
How useful is that?
I think we mostly agree on the general issues.
But we agree to disagree whether permissive modify control is part of a
solution
or will mask serious security issues. Personally I prefer to let problems/error
happen and then explicitly ignore them if I'm 100% sure it's ok. So
personally I
wouldn't use permissive modify control. YMMV.
Correct. But this specific thing will not help you. Because the error may
happen when everything is OK. And even worse: it might NOT happen if there is
a real problem. Relying on that error makes no sense. And in fact it might be
even dangerous. This is a bad trade-off. Very bad.