Show Table of Contents
7.7. Processing an LDAP Modify Operation
When the Directory Server receives an LDAP modify request from a client, the frontend gets the DN of the entry to be modified and the modifications to be made. The frontend makes this information available to pre-operation and post-operation plug-in functions in the form of parameters in a parameter block.
Table 7.6. Table of Information Processed during an LDAP Modify Operation
| Parameter ID | Data Type | Description |
|---|---|---|
SLAPI_MODIFY_TARGET | char * | DN of the entry to be modified. |
SLAPI_MODIFY_MODS | LDAPMod ** | A NULL-terminated array of LDAPMod structures, which represent the modifications to be performed on the entry. |
The
modify function should check the following:
- If the operation has been abandoned, the function should return
-1.Note
You do not need to call slapi_send_ldap_result() to send an LDAP error code to the client. According to the LDAP protocol, the client does not expect a server response after an operation is abandoned. - If the entry is a referral entry (that is, an entry with the object class
ref) and nomanageDSAITcontrol is included with the request, the function should call slapi_send_ldap_referral() to send a referral and return-1.To determine if amanageDSAITcontrol is present, call slapi_pblock_get() to get the value of theSLAPI_MANAGEDSAITparameter. If the value is1, the control is included in the request. If the value is0, the control is not included in the request. - If the entry does not exist, check the following:
- If the closest matching entry is a referral entry, and if no
manageDSAITcontrol is included in the request, the function should call slapi_send_ldap_referral() to send a referral and return-1. - Otherwise, the function should call
slapi_send_ldap_result()to send an LDAP error code LDAP_NO_SUCH_OBJECT and return-1.
- If the entry is not schema-compliant (call slapi_entry_schema_check() to determine this), the function should call
slapi_send_ldap_result()to send the LDAP error code LDAP_OBJECT_CLASS_VIOLATION and should return-1. - If the RDN of the entry contains attribute values that are not part of the entry (for example, if the RDN is
uid=bjensen, but the entry has nouidvalue or has a differentuidvalue), the function should callslapi_send_ldap_result()to send the LDAP error code LDAP_NOT_ALLOWED_ON_RDN and should return-1. - If the requester does not have permission to modify the entry (call slapi_access_allowed() to determine this), the function should call
slapi_send_ldap_result()to send the LDAP error code LDAP_INSUFFICIENT_ACCESS and should return-1.
You should also verify that the ACI syntax for the entry is correct; call slapi_acl_check_mods() to determine this.
If the
modify function is successful, the function should call slapi_send_ldap_result() to send an LDAP_SUCCESS code back to the client and should return 0.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.