ando@sys-net.it wrote:
Hallvard B Furuseth wrote:
ando@sys-net.it writes:
On a related note, if this can be considered of general usefulness, LDAP specs would need to be changed in order to define a finer grain of attribute request; something like:
empty or "*" ; all user, except attrs that need to be explicitly req. "+" ; all operational
<all including attrs that need to be explicitly requested> <...>
Would it be cleaner if slapo-cloak redefines the attributes to be operational, or to behave as if they are? Maybe give them an X-AS-OPERATIONAL extension? Or would that just mess up schema code, things like attribute inheritance?
I think things would mess up.
I'd also recommend *not* to turn user attribute types into operational attribute types. This would certainly confuse schema-aware clients.
Moreover, I see a number of features system administrators could ask for; e.g. hide attributes only when matching a URI (base, scope, filter),
Well, that's something many overlays would benefit from.
or based on size limit,
???
or based on client's identity and so.
That would be similar (not equal) to using ACLs. That was explicitly not the case in the original inquiry.
Ciao, Michael.