[python-ldap] Modlist with a replace sometimes fails

Michael Ströder michael at stroeder.com
Fri Mar 4 04:37:51 EST 2016 

Petr Spacek wrote:
> Feel free to play with this one:
> ldap://ipa.demo1.freeipa.org
> BIND DN: uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
> BIND password: Secret123

Yes, I know: https://web2ldap.de/demo.html#freeipa.org
;-)

But the demo server does not allow accessing cn=config.
And William has issues with certain attributes in cn=config.

FWIW this modification in the normal backend simply worked:

-----------------------------------------------------------------
dn: uid=test,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
changetype: modify
delete: uidNumber
-
add: uidNumber
uidNumber: 1120000042
-
delete: gidNumber
-
add: gidNumber
gidNumber: 1120000017
-

-----------------------------------------------------------------

This modification was generated by web2ldap. As you can see always the whole
MUST attributes are removed with MOD_DELETE and the new list is added with
MOD_ADD. This is because 389-DS does not publish any matching rule information
in its subschema.

Note that web2ldap has a schema-aware variant of ldap.modlist.modifyModlist()
which looks at EQUALITY matching rules.

Here's an example of a similar modification generated by web2ldap when server is
OpenLDAP:

-----------------------------------------------------------------
dn: cn=Fred Feuerstein,ou=Testing,dc=stroeder,dc=de
changetype: modify
delete: uidNumber
uidNumber: 540
-
add: uidNumber
uidNumber: 23540
-
delete: gidNumber
gidNumber: 100
-
add: gidNumber
gidNumber: 9000
-

-----------------------------------------------------------------

As you can see removed attribute values are explicitly listed in the MOD_DELETE
part. This is done for provoking failure in case of concurrent write access to
the entry. Well, the best way to deal with concurrent write access is the
Assertion Control (see RFC 4528). But this is also not supported by 389-DS.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20160304/d70e3857/attachment.bin>

More information about the python-ldap mailing list