On 9/27/18 4:40 PM, Quanah Gibson-Mount wrote:
--On Wednesday, September 26, 2018 3:27 PM -0400 Chris Paul wrote:
One more detail: I know "replace" will work but "add" would be
more convenient. Also, python-ldap does not support ldap.MOD_REPLACE
apparently.
Python has certainly worked with it just fine in the past, and I doubt
it suddenly stopped, because that'd break a lot of python applications...
--Quanah
Hi Quanah,
According to this link, replace is not done using LDAP_MOD_REPLACE:
https://www.python-ldap.org/en/latest/reference/ldap-modlist.html.
As it is written there, "Replacing attribute values is always done with
a ldap.MOD_DELETE/ldap.MOD_ADD pair instead of ldap.MOD_REPLACE to
work-around potential issues with attributes for which no EQUALITY
matching rule are defined in the server’s subschema. This works
correctly in most situations but rarely fails with some LDAP servers
implementing (schema) checks on transient state entry during processing
the modify operation."
I'm not sure I get that rationale, but it is apparently the case when
using python-ldap's LDAPObject.modify_s.
CP
