python-ldap-dev

Adding objectClass to existing dn

[Robert C. <r....@ho...>]

Hi,

I've been trying to add an objectClass to an existing dn.
Now I get messages like :



{'info': "attribute 'cn' not allowed", 'desc': 'Object class violation'}
{'info': 'modify/add: objectClass: value #0 already exists', 'desc':
'Type or value exists'}

In my modlist are all the values nessecary I though. It feels like
the chicken and the egg problem.

To insert an objectClass you need the must attributes and to get the
attributes you need the new objectClass.

Please tell me what I'm missing here.

Thanks robert

Re: Adding objectClass to existing dn

[Mark R. <mr...@ok...>]

On Tue, 2005-02-01 at 14:37 +0100, Robert Cooke wrote:
> Hi,
> 
> I've been trying to add an objectClass to an existing dn.
> Now I get messages like :

> {'info': "attribute 'cn' not allowed", 'desc': 'Object class violation'}
> {'info': 'modify/add: objectClass: value #0 already exists', 'desc':
> 'Type or value exists'}

I'm not sure how you're building your modlist, but you might want to
using ldap.modlist: (example off the top of my head, may have typos)

import ldap
import ldap.modlist
import copy

l = ldap.initialize('ldap://server')
l.bind_s('...', 'pass')
dn, attrs = l.search_s(dn, ldap.SCOPE_BASE)

newattrs = copy.deepcopy(attrs)
newattrs['objectClass'].append('newobjectclass')
newattrs['cn'] = ('cn_value',)

mlist = ldap.modlist.modifyModlist(attrs, newattrs)
l.modify_s(dn, mlist)


-Mark

Re: Adding objectClass to existing dn

[<mi...@st...>]

Mark Roach wrote:
> 
>>{'info': "attribute 'cn' not allowed", 'desc': 'Object class violation'}
>>{'info': 'modify/add: objectClass: value #0 already exists', 'desc':
>>'Type or value exists'}
 >
> mlist = ldap.modlist.modifyModlist(attrs, newattrs)

ldap.modlist.modifyModlist() is a function which calculates the delta of 
an old entry and what a new entry should like. The result is a list to 
be passed to LDAPObject.modify() and .modify_s(). Using this function 
would certainly help with the problem the original poster has since it 
would supress adding the same attribute value twice.

But use this function with care! There surely are situations where the 
dumb case-sensitive string match for generating the delta is not 
sufficient. Therefore I don't recommend it unless you're really know 
what you're doing. Better you have full control of what you're doing.

Ciao, Michael.

Re: Adding objectClass to existing dn

[Mark R. <mr...@ok...>]

On Tue, 2005-02-01 at 17:11 +0100, Robert Cooke wrote:
> Hi,
> 
> Thanks mark for your quick response but I'm sorry to tell the problem is
> not yet solved.

Hmm... perhaps the problem is adding new attributes as a tuple. Here is
a snippet from actual working code:

    sambaAttributes = deepcopy(newAttributes)
    sambaAttributes['objectClass'].append('sambaSAMAccount')
    sambaSID = domainSID + "-" + str(int(uidNumber) * 2 + 1000)
    sambaAttributes['sambaSID'] = sambaSID
    sambaAttributes['sambaAcctFlags'] = '[UX]'
    modlist = ldap.modlist.modifyModlist(newAttributes, sambaAttributes)
    self._conn.modify_s(userdn, modlist)

As you can see, the new attributes are just strings. That really
*shouldn't* make a difference though. ... oh wait. I think I see a
problem here:

> list(newattrs['objectClass']).append('ipHost')

This is creating a new copy of newattrs['objectClass'] and appending the
new objectClass to that list. You don't need the list() call at all, in
fact you need to not use list().

-Mark

Re: Adding objectClass to existing dn

[<mi...@st...>]

Robert Cooke wrote:
> 
> I've been trying to add an objectClass to an existing dn.
> Now I get messages like :
> 
> {'info': "attribute 'cn' not allowed", 'desc': 'Object class violation'}
> {'info': 'modify/add: objectClass: value #0 already exists', 'desc':
> 'Type or value exists'}
> 
> In my modlist are all the values nessecary I though. It feels like
> the chicken and the egg problem.

There's no chicken and egg problem here. The error description says that 
the attribute value for attribute 'cn' is already there. To be clear: 
Not only the attribute 'cn' itself is present. The very same attribute 
value is already stored in attribute 'cn' of this entry. This violates 
the X.500 data model. Just leave the 'cn' out of your modify list.

> To insert an objectClass you need the must attributes and to get the
> attributes you need the new objectClass.

This is another problem and can be easily solved. Add and modify 
requests are atomic.

Ciao, Michael.