PingDirectory

Unexpected behavior for write operations

A significant issue with virtual attributes is that they can result in unexpected behaviors when targeted by write operations.

These unexpected behaviors include the following:

  • Attempting to delete a virtual value fails with a no such attribute result.

  • If the virtual attribute provider is configured with a conflict-behavior of real-overrides-virtual, then attempting to add a value to an entry that only has virtual values causes the virtual values to disappear.

  • If the virtual attribute provider is configured with a conflict-behavior of real-overrides-virtual, then attempting to remove all real values of an entry causes the virtual values to appear.

  • If the virtual attribute provider is configured with aconflict-behavior of virtual-overrides-real, then attempting to add new values or replace the set of existing values yields a success result, but the operation has no visible effect on the entry.

  • If the virtual attribute provider is configured with a conflict-behavior of merge-real-and-virtual, then attempting to replace the set of values for an entry yields a success result, but only the real values are replaced and the virtual values remain.

There is currently no method to prevent attempts to write to attributes with virtual values. The NO-USER-MODIFICATION constraint in attribute type definitions is honored, but this constraint only applies to operational attribute types. This is not an acceptable limitation in many cases. Access control restrictions could work for many clients, but do not have any effect for requesters with the bypass-acl privilege.