Another significant issue with virtual attributes is that they can result in unexpected behaviors when targeted by write operations. These behaviors include the following:
  • Attempting to delete a virtual value will fail with a “no such attribute” result.
  • If the virtual attribute provider is configured with a conflict-behavior of real-overrides-virtual, then attempting to add a value to an entry that only has virtual values will cause the virtual values to disappear.
  • If the virtual attribute provider is configured with a conflict-behavior of real-overrides-virtual, then attempting to remove all real values of an entry will cause the virtual values to appear.
  • If the virtual attribute provider is configured with a conflict-behavior of virtual-overrides-real, then attempting to add new values or replace the set of existing values will yield a success result, but the operation will have no visible effect on the entry.
  • If the virtual attribute provider is configured with a conflict-behavior of merge-real-and-virtual, then attempting to replace the set of values for an entry will yield a success result, but only the real values will have been replaced, and the virtual values will remain.

There is currently no method to prevent attempts to write to attributes with virtual values. The NO-USER-MODIFICATION constraint in attribute type definitions is honored, but this constraint can only be applied to operational attribute types; this is not an acceptable limitation in many cases. Access control restrictions could work for many clients, but will not have any effect for requesters with the bypass-acl privilege.