Univention Bugzilla – Bug 56182
overwriting multi-value attribute of existing object impossible without warnings
Last modified: 2023-06-21 13:21:29 CEST
Created attachment 11074 [details] test case UCS 5.0-3 errata 712 I have an existing object (saml/serviceprovider). I want to replace all the configured "LDAPAttribute" elements in a single udm call. This seems to only be possible by using '--set LDAPattribute="…"' twice in a single call. That, however, will cause UDM to emit the well-known but highly misleading warning: > WARNING: multiple values for LDAPattributes given via --set. Use --append instead! I'll attach a script to illustrate the issue. The script creates three SAML SPs. Each time the creation step only creates a single LDAP attribute mapping for mail → mail. The goal is then to replace that existing mapping with two new mappings for givenName → first_name & sn → last_name. The three test cases are: 1. udm saml/serviceprovider modify … --set LDAPattributes="…" --set LDAPattributes="…" 2. udm saml/serviceprovider modify … --set LDAPattributes="…" --append LDAPattributes="…" 3. udm saml/serviceprovider modify … --append LDAPattributes="…" --append LDAPattributes="…" The results are: 1. "--set" twice This is almost OK: the modified object will have the two desired LDAP attribute mappings for givenName & sn, but not the one for mail. So far, so good. However, "udm" emits the warning shown above. 2. "--set" once, "--append" once This is not OK: the modified object will only have the one LDAP attribute mapping that's given via "--set" during the modification call. The one from "--append" is missing. This is due to the longstanding issue described in bug 4817. 3. "--append" twice This is not OK: the modified object will contain all three LDAP attribute mappings: the one from the creation + the two from the modification. --------------------------------- In my opinion there are two bugs here: 1. As "--set" & "--append" cannot be combined (as in: udm will ignore any "--append" if "--set" is used for the same attribute), udm must emit an error message (or at least a warning) due to invalid usage. At the moment the "--append" parameters are silently ignored. 2. As the only way to overwrite existing multi-value attributes is to only use "--set" for each value, the warning must be removed as udm cannot mind read: it doesn't know if the user wants to replace existing elements (only use "--set") or add to existing ones (only use "--append").
Can you try two additional test cases: 5. udm saml/serviceprovider modify … --remove LDAPattributes --append LDAPattributes="…" 6. udm saml/serviceprovider modify … --remove LDAPattributes="…" --append LDAPattributes="…"
Sure thing. 4. --remove "LDAPattributes" --append "LDAPattributes=givenName first_name" --append "LDAPattributes=sn last_name" Result: no LDAPattributes at all. No warning emitted. I consider both to be a bug or at least worthy of a warning. 5. --remove "LDAPattributes=mail mail" --append "LDAPattributes=givenName first_name" --append "LDAPattributes=sn last_name" Result: only the two wanted mappings for givenName & sn are present, but not the one for mail. This is OK. No warning emitted. From a usability point of view this way isn't ideal either as I'd have to parse the existing attributes & explicitly mention them on the command line. What I really want is a way to say "replace all existing values with these ones & don't shout about me being wrong about it". OK, what I actually want is for udm to make correct usage easy & wrong usage hard. At the moment it makes correct usage (only "--set", no "--append") hard due to the misleading warning. It also makes wrong usage (combining "--set" with "--append", or argument-less "--replace" with "--append") hard due to there being no warning at all. udm already warns us about unused arguments, which I consider very, very good as it makes wrong usage harder: [0 root@trinculo ~] udm users/user modify --dn "$(udm users/user list --filter uid=mbunkus |grep '^DN:'|sed -e 's/^DN: //')" --set description=moocow dieserparameteristunbekannt WARNING: the following arguments are ignored: "dieserparameteristunbekannt" I guess the existing warning about "use --append instead" was supposed to prevent similar types of mistakes, but at the moment it warns about otherwise correct usage and is therefore a bad warning.
Ugh, I meant to say: > It also makes wrong usage (combining "--set" with "--append", or argument-less "--replace" with "--append") **easy** due to there being no warning at all.