I just wanted to say that I hate LDAP with a passion.
I especially hate the iPlanet/Netscape/Fedora family of it. because they don't implement all of RFC 2251. They chose to ignore allowing one to move nodes under a different parent. "To move an entry to a completely different branch, you must create a new entry in the alternative subtree using the old entry’s attributes, and then delete the old entry."
If you have any uniqueness constraints that means deleting the old one first, then adding the new one. If the add fails, data is gone. Poof.
It also means you have to have privileges for all the attributes on a node to move it. For example, one might consider a valid scenario one where a person who is not trusted to know someone's password IS trusted enough to know whether a person is stationed in the US or the UK and move them between appropriate subbranches (if your layout is like that). Except in the iPlanet/Netscape/Fedora family, that person simply has to be trusted to "see" the password also, so that they can create the new node.
I think I just wasted three weeks trying to improve a data loss scenario, based on an assumption that the previous programmer didn't know to use a feature. Instead, it turns out he did what he had to because the feature didn't exist (it's merely supposed to). At least, in my new code, I will comment why the feature is implemented in such a broken way to save the next guy a headache. And then perhaps I'll start a campaign to get iPlanet/Netscape/Fedora LDAP implementations stripped of any mention that they comply with version 3.