Re: hide attribute

[Pierangelo Masarati <ando@sys-net.it>]

Emmanuel Dreyfus wrote:
> Michael Ströder <michael@stroeder.com> wrote:
>
> > Why not a simple ACL for a group? Do the applications bind anonymously?
>
> Of course it does. I said it was ill-designed :-)
>  
> > > A nicer approach would probably to have a hidden jpegPhoto: it would not
> > > be sent to a client requesting all attributes, but a client explicitely
> > > requesting a set of attribute including jpegPhoto would get it.
> > I guess you will run into problems with some apps where you do want the
> > jpegPhoto to be displayed.
>
> Fortunately, the only apps I have that use the jpegPhoto are wise enough
> to provide a set of attributes.

I think what you propose makes sense, I see few cases where it would be 
definitely useful.  In general, anything gives an administrator the 
possibility to tune resource exhaustion sounds welcome.  I think an 
overlay is the right place.

With respect to your specific problem, you should be able to do 
something close to what you need by loading your jpegPhoto as 
jpegPhoto;x-mustberequested, then only allow access to this attribute 
and not to plain jpegPhoto.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------