[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Flaw in design about how delete's are handled (ITS#2425)
>
>
> --On Sunday, April 06, 2003 11:56 AM -0700 "Kurt D. Zeilenga"
> <Kurt@OpenLDAP.org> wrote:
>
>> At 10:36 PM 4/5/2003, quanah@stanford.edu wrote:
>>> Full_Name: Quanah Gibson-Mount
>>> Version: 2.1.16
>>> OS: Solaris 8
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (171.66.182.82)
>>>
>>>
>>> There is a major flaw in the way in which OpenLDAP handles modifies
>>> and deletes of attributes. If there is no defined matching rule, it
>>> is impossible to add multiple instances of multi-valued attributes,
>>
>> Per X.501(93), if there is no equality matching rule, no comparisons
>> can be done. The client should not attempt to individually add/delete
>> values when there is no matching rule as that requires the server to
>> do comparisons and as such is not possible, causes the error to be
>> returned. It should use replace instead.
>>
>>> and there is no way to delete
>>> specific instances of a given attribute that has no matching rule.
>>
>> Per RFC 2251, clients are explicitly prohibited from issuing
>> deletes of single values when there is no equality rule, they
>> are to use replace instead. While not explicitly stated,
>> clients are prohibited from issuing adds of single values to
>> an existing attribute when there is no equality rule, they
>> are to use replace instead. (The latter should be added
>> to LDAP technical specification is revised by the IETF.)
>>
>>> This
>>> presents particular problems when trying to build programs with which
>>> to write changes into the OpenLDAP directory system. To get such a
>>> program to work, it has to know which attributes to treat as special,
>>> which adds unneccesary layers/levels of complexity to a program that
>>> should not need that logic built into it.
>>
>> Simply put, applications which modify the directory should be
>> schema aware.
>
> They should be aware to the extent of knowing what attributes they can
> write to. I still do not see in your statements how one is supposed to
> create multiple values for a multi-valued attribute with no matching
> rule, only replace a single value with a new value.
Or replace ALL values with a new SET of values, with the desired
changes. I think that if an attribute does not have a mathcing
rule on the server side, it means that the designer of the
attribute assumed there is no need for the server to be able to
do matches on it; however the client, which should be aware of the
semantics of the attribute, if it's using it, should be able to do
comparisons and what else is needed to arrange a modified list of
values which will replace the old one "in toto". As you see, there
is a workaround to your problem, which, I insist, it's not server's
fault.
> And again, you can
> only delete a single value. Personally, I think attributes without
> matching rules are somewhat broken in and of themselves. However,
> given that things like facsimileTelephoneNumber don't have a defined
> matching rule (even though it is a telphone number), it is something to
> be dealt with.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it