[python-ldap] Modlist with a replace sometimes fails

Michael Ströder michael at stroeder.com
Thu Feb 18 07:32:56 EST 2016 

Jephte Clain wrote:
> hello,
> just chiming in to check that I understand correctly...
> 
> 2016-02-18 12:30 GMT+04:00 Michael Ströder <michael at stroeder.com>:
>> William wrote:
>>> I noticed that the code for modlist does the following:
>>>
>>> line 111:
>>>       if replace_attr_value:
>>>         modlist.append((ldap.MOD_DELETE,attrtype,None))
>>>         modlist.append((ldap.MOD_ADD,attrtype,new_value))
>>>
>>> This often fails on certain ldap servers, especially with configuration
>>> directives as they cannot be removed before the add takes place.
>>
>> Could you please give more details:
>> - LDAP server vendor and exact version
>> - attribute for which this fails
>>
>>> I would like to ask that either this be fixed to:
>>>
>>> line 111:
>>>       if replace_attr_value:
>>>         modlist.append((ldap.MOD_REPLACE,attrtype,new_value))
>>
>> It's probably time to add that to the FAQ:
>>
>> https://mail.python.org/pipermail/python-ldap/2008q3/002342.html
> 
> Are you saying that
> 
> dn: xxx
> changetype: modify
> replace: attr
> attr: value
> 
> requires attr to have an equality matching rule?

Yes. There's reason why ldap.modlist.modifyModlist() works like this. Actually I
used ldap.MOD_REPLACE in older versions but this did not work. So I've changed
it many years ago:

http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Lib/ldap/modlist.py?r1=1.4&r2=1.5

> why not, I mean one
> don't care what the previous value is as it is replaced???

It does not matter what you or I consider to be reasonable.
What counts is how LDAP servers process the modify requests.

> FYI, on OpenLDAP, under the cn=config database, there are some
> attributes that a required to exist.

This should be no issue.

> You can't just delete then add
> them: you have to replace them.

I have some doubts.

Please give more details:
- OpenLDAP version
- *exact* modify operation
- *exact* error message
- preferrably test code illustrating the issue

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20160218/13543f84/attachment-0001.bin>

More information about the python-ldap mailing list