if the attribute is mapped to one of the primary keys, each value in the attribute will correspond to one row in the database. So, if a value is added/deleted, the corresponding row will also be added/deleted. Replacing the entire attribute is the same as deleting all existing values and adding the new values.

A wrong selection of field as a primary key will lead to multi-valued attribute. Penrose doesn't support modify operation in this scenario because the behaviour is not well defined, i.e: attribute values ordering is not defined in LDAP, Penrose would not be able to determine which password goes to which row.

Resolution:

• Pick a primary key that will result in one-to-one relation between your database and LDAP entry. You can also use techniques such as [Composite RDN] or [Concatenation fields]