[python-ldap] Modlist with a replace sometimes fails

Michael Ströder michael at stroeder.com
Thu Mar 3 10:32:15 EST 2016

William wrote:
> I never heard back about whether the below patch is acceptable. I do not change
> the default behaviour, only add the ability to use MOD_REPLACE if the user wishes
> it.

Even though this small change does not change the default behaviour it might be
actually used and people will ask here when running into problems. We had
discussions about that function before. I suspect your patch will open a can of
worms leading to more patches for upcoming corner-cases. Also I don't have a
test server running 389-DS. So it's hard for me to test corner-cases.

So if this is an urgent need in your project then you can easily overload this
function with your own implementation. Even with your patch you have to touch
your code.

In general it seems that this function might not fit everybody's needs. So I'll
add an interop note in the docs about this:

   .. note::
      Replacing attribute values is always done with a
      :py:const:`ldap.MOD_DELETE`/:py:const:`ldap.MOD_ADD` pair instead of
      :py:const:`ldap.MOD_REPLACE` to work-around potential issues with
      attributes for which no EQUALITY matching rule are defined in the
      server's subschema.  This works correctly in most situations but
      rarely fails with some LDAP servers implementing (schema) checks on
      transient state entry during processing the modify operation.

Ciao, Michael.

P.S.: IMO 389-DS should be fixed.

Michael Ströder
E-Mail: michael at stroeder.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20160303/db5ce111/attachment.bin>

More information about the python-ldap mailing list