Radovan Semancik wrote:
Yes, I can always read the entry first, compute changes and then modify it. But why do I need to do that? It takes two round trips and, client overhead and it does not guarantee a sucess anyway. Server can do that easily and reliably. Now, if my directory server is somewhere in the cloud tens of milliseconds away and I have millions of users to provision then each extra round-trip is a waste.
Maybe we have a different understanding of the semantics of the permissive modify control:
IMO using permissive modify control does not help getting rid of this extra round-trip because you have to read the target entry first anyway to determine whether you have to remove attributes or distinct attribute values.
Getting rid of the round-trip would require using something like the contrib addpartial overlay where the client application always sends add requests with the whole entry even for existing entries.
So, let's get back to the original question: does OpenLDAP support the control? Do I need to configure something to enable it? That's all I need.
As said in my *first* answer it's listed in the rootDSE of my installation.
And it seems to work:
test-permissive-control.ldif: ------------------------------------------------------ dn: uid=foobar42,ou=Testing,dc=stroeder,dc=de changetype: modify add: o o: Test -
------------------------------------------------------
$ ldapmodify -f test-permissive-control.ldif modifying entry "uid=foobar42,ou=Testing,dc=stroeder,dc=de"
$ ldapmodify -f test-permissive-control.ldif modifying entry "uid=foobar42,ou=Testing,dc=stroeder,dc=de" ldap_modify: Type or value exists (20) additional info: modify/add: o: value #0 already exists
$ ldapmodify -e 1.2.840.113556.1.4.1413 -f test-permissive-control.ldif modifying entry "uid=foobar42,ou=Testing,dc=stroeder,dc=de"
Ciao, Michael.