On 9/27/18 6:53 PM, Quanah Gibson-Mount wrote:
> And this strategy would work just fine, because it deletes all values before doing the add.  It's essentially what the REPLACE op does anyway.
> --Quanah

Well yeah it works now, after adding the EQUALITY rule to the attribute(*). Can someone pls explain this to me? I'm not getting why LDAP_MOD_REPLACE won't work without an EQUALITY rule.

Also, please note my original post on this thread. I just wanted to add one attribute. It seems a lot more efficient, if I just want to add one attribute (in this case to a multi-valued attribute) to be able to use LDAP_MOD_ADD, instead of LDAP_MOD_REPLACE (or especially instead of LDAP_MOD_DELETE/LDAP_MOD_ADD pair).

Now that I'm taking another look at the python-ldap docs, I realize that maybe I could get my sole LDAP_MOD_ADD if I abandon trying to use the python module "ldap.modlist". It seems that I could generate my own list instead of using "ldap.modlist" to generate the list, and thus specify ldap.MOD_ADD as the 1st element in the tuple.

(*) Note this is only a test environment. I don't really care about breaking anything. If I were to change the schema in production, I'd go to a lot more effort validating that it would not break anything (or just plan on the LDIF export/import).