On 9/27/18 4:40 PM, Quanah Gibson-Mount wrote:
--On Wednesday, September 26, 2018 3:27 PM -0400 Chris Paul wrote:
One more detail: I know "replace" will work but "add" would be more convenient. Also, python-ldap does not support ldap.MOD_REPLACE apparently.
Python has certainly worked with it just fine in the past, and I doubt it suddenly stopped, because that'd break a lot of python applications...
--Quanah
Hi Quanah,
According to this link, replace is not done using LDAP_MOD_REPLACE: https://www.python-ldap.org/en/latest/reference/ldap-modlist.html.
As it is written there, "Replacing attribute values is always done with a ldap.MOD_DELETE/ldap.MOD_ADD pair instead of ldap.MOD_REPLACE to work-around potential issues with attributes for which no EQUALITY matching rule are defined in the server’s subschema. This works correctly in most situations but rarely fails with some LDAP servers implementing (schema) checks on transient state entry during processing the modify operation."
I'm not sure I get that rationale, but it is apparently the case when using python-ldap's LDAPObject.modify_s.
CP