[python-ldap] Issues with modifiModlist

Michael Ströder michael at stroeder.com
Sat Nov 26 11:05:51 EST 2016

Facundo Acevedo wrote:
> Hello, I've realized that the parameter of the old attribute is the same
> length that the new, modifyModlist do not works as expected, it returns
> an empty list.
> [..]
> I think the problem is in ldap/modlist.py:95
> replace_attr_value = len(old_value)!=len(new_value)

This line above is only an optimization short-cut for not having to examine each
attribute value in case the list of attribute values is different by length anyway.

Note that the attribute value lists are compared like sets because that's what
LDAPv3 attributes contain:


In general LDAPv3 client implementations should not rely on order of attribute

In practice all LDAPv3 servers I've tested do preserve and change the order of
the attribute values as provided by the client. So the above optimization is
indeed debatable. But note that you'll never know what all the other LDAP
clients are doing in your deployment.

Before going into considerations whether to change that in python-ldap or not:

Which exact problem do you want to solve?

Why is order significant in your application?

Why do you want to use the above function instead of rolling your own which
better fits your particular needs?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20161126/04d21d1d/attachment.bin>

More information about the python-ldap mailing list