Re: Can LDAP attribute values be null?

["Kurt D. Zeilenga" <kurt@boolean.net>]

OpenLDAP 1.x doesn't support attributes with null values.

>I didn't find any mention of null attribute values in  the LDAP standard,
>either for or against.

No values or an empty value.  Two different things.

No values:

However, the key is in the ASN.1:

     AddRequest ::=
         [APPLICATION 8] SEQUENCE {
              entry          LDAPDN,
              attrs          SEQUENCE OF SEQUENCE {                 
                                  type          AttributeType,       
                                  values        SET OF AttributeValue
                             }
         }

SET OF implies "an unordered collection of zero or more occurrences
of a given type" (RSAlabs, Layman's guide to ASN.1, BER, DER,
ftp://ftp.rsasecurity.com/pub/pkcs/ascii/layman.asc).  Hence,
the protocol (v2 & v3) clearly allows adding types without any
values.

Empty values:

     AttributeValue ::= OCTET STRING

There is no restriction on the length of OCTET STRING.


>Is the behaviour of openLDAP correct?

No, but it is consistent with other LDAPv2-only implementations
(well, any derived from U-Mich LDAP 3.3).

> better than other alternatives?

Yes, a behavior that is liberal in what it accepts.  2.0, when
released, should support attributes without values and attributes
with values which are empty.

	Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>