Re: hide attribute

[Michael Ströder <michael@stroeder.com>]

Emmanuel Dreyfus wrote:
> Michael Ströder <michael@stroeder.com> wrote:
> 
>> Why not a simple ACL for a group? Do the applications bind anonymously?
> 
> Of course it does. I said it was ill-designed :-)

So why not point these ill-designed apps to a different DSA implemented
by back-ldap with such an ACL?

>>> A nicer approach would probably to have a hidden jpegPhoto: it would not
>>> be sent to a client requesting all attributes, but a client explicitely
>>> requesting a set of attribute including jpegPhoto would get it.
>> I guess you will run into problems with some apps where you do want the
>> jpegPhoto to be displayed.
> 
> Fortunately, the only apps I have that use the jpegPhoto are wise enough
> to provide a set of attributes.

AFAIK commonly used LDAP browsers never explicitly request jpegPhoto
when displaying a *single* entry. My web2ldap explicitly limits the
attrs to be returned when searching mutiple entries for not exhausting
network bandwidth. But explicitly requesting binary attrs when
displaying a single entry does not make sense for a generic LDAP client
application.

Off course if you're not using such application at all you won't have a
problem.

I think it would be interesting if an ACL could distinguish whether the
search request has scope base and grant read access to jpegPhoto only in
this case.

Ciao, Michael.