Paul Wankadia junyer at gmail.com
Fri Sep 19 16:31:31 CEST 2008

On Fri, Sep 19, 2008 at 6:12 PM, Michael Ströder <michael at stroeder.com> wrote:

>> The current implementation of modifyModlist() clashed with some ACLs
>> because it touches too many values. :/
> I don't fully understand. Do you have ACLs based on certain attribute
> values? It would be probably a good idea to mention these issues in the
> docs.

Access to objectClass is restricted, for example, so it's necessary to
be surgical.

>>       if old_values != new_values:
>>         modify.append((ldap.MOD_REPLACE, attr, list(new_values)))
> The problem with MOD_REPLACE or with only deleting/adding certain
> attribute values is that it needs EQUALITY matching rules to be
> implemented at the server-side for all syntaxes of attributes to be
> modified. That's not the case for e.g. jpegPhoto (or even attribute
> postalAddress on some servers).

Do you happen to know whether OpenLDAP has any problems in this regard?

> In web2ldap I have a modified function modifyModlist() which examines
> the subschema for determining whether the attribute type has an EQUALITY
> matching rules assigned and whether this particular matching rule is
> really listed in the subschema.

What does it do then?

> => So for general use I won't accept your version since it will choke in
> many more cases.

I understand.

More information about the python-ldap mailing list