Skip to Content.
Sympa Menu

grouper-dev - RE: [grouper-dev] RE: Different attribute that are the same for AD

Subject: Grouper Developers Forum

List archive

RE: [grouper-dev] RE: Different attribute that are the same for AD


Chronological Thread 
  • From: Gagné Sébastien <>
  • To: "Tom Zeller" <>
  • Cc: <>
  • Subject: RE: [grouper-dev] RE: Different attribute that are the same for AD
  • Date: Wed, 6 Feb 2013 15:43:10 -0500

I see, but in AttributeModifier you have two sections, one for Data Attribute
modification and one for reference modifications.
- Reference modification , which are used for members, don't even support
replace operations, which makes sense for exactly the reason you stated.
- "normal" attributes are single valued and should be replaced by default.

Maybe I'm wrong about all this, I'm not an expert in the field, but I feel
like replace should be the default for .

An interesting bit I found while digging in the code is the "replaceValue"
attribute for attributes, this isn't documented anywhere, it's not even in
the modification's "toString" method (while all the other attributes are
there) :

<!-- The ldap group "description" attribute. -->
<attribute
name="description"
ref="groupDescription"
replaceValues="true" />

Setting this flag does change the add-delete requests for a single replace
request. I will use that for the next deployment, but it feels wrong to set
this attribute on all the attribute definitions except for members.

Maybe a better solution would be to add the default value replaceValue to the
configuration file ?

Thank you for your time.

-----Message d'origine-----
De : Tom Zeller
[mailto:]

Envoyé : 6 février 2013 13:31
À : Gagné Sébastien
Cc :

Objet : Re: [grouper-dev] RE: Different attribute that are the same for AD

> If false, modifications should consist of add and delete operations.
> If true, modifications should consist of replace operations.
>
> private boolean replaceValues = false;
>
> This should be set to True, I don't understand why the default is
> false. Do you have a good reason for it ?

Consider an "everyone" group whose member attribute has 10k values. If
replaceValues was true, then every time a member is added or removed from the
group, 10k+1 values would be replaced rather than just adding or deleting a
single value. Setting replaceValues=true is probably only appropriate for
attributes with a reasonably small number of values.

> you're doing adds before deletes, you should reverse them

Except for the member attribute on openldap which must have a value, so
deleting the last value before adding a new one will result in an error.
Add-before-delete or delete-before-add could become a configuration option.



Archive powered by MHonArc 2.6.16.

Top of Page