--On Thursday, September 27, 2018 7:09 PM -0700 Christopher Paul
As it is written there, "Replacing attribute values is always
done with a
ldap.MOD_DELETE/ldap.MOD_ADD pair instead of ldap.MOD_REPLACE to
work-around potential issues with attributes for which no EQUALITY
matching rule are defined in the server's subschema. This works
correctly in most situations but rarely fails with some LDAP servers
implementing (schema) checks on transient state entry during processing
the modify operation."
And this strategy would work just fine, because it deletes all values
before doing the add. It's essentially what the REPLACE op does anyway.
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: