Fork me on GitHub

You are here

Ldap modify replace instead of delete

So this afternoon I was writing some perl script to update our email ldap.  I by accident found out that when you replace an attribute with no value (e.g. undef in perl) the attribute will be deleted!  And even more interesting that you won't get an error if the attribute doesn't exist.  If you would delete the value you would get an error saying the attribute doesn't exist.

Even our local LDAP guru was supprised by this!  I'm sure Frank will have fun in abusing this feature

It's nicely documented in RFC 4511:
delete: delete values listed from the modification attribute.
If no values are listed, or if all current values of the
attribute are listed, the entire attribute is removed.

replace: replace all existing values of the modification
attribute with the new values listed, creating the attribute
if it did not already exist. A replace with no value will
delete the entire attribute if it


I am not at all good at fixing the bugs ans solving the issues. I usually follow the tips of debugging in the blogs of and they are very useful for me every time. This attribute of modifying instead of deleting its definitely a good and time saving idea.

Add new comment