Emmanuel Dreyfus wrote:
Many badly designed software fetch all attribute when looking up an user in the directory, instead of just fetching the one they are interested in.
My user objects have jpegPhoto attribute, which get fetched with the whole user object. jpegPhoto are big, so this cause unnescesary load on the network and LDAP servers and it slows down login process on the bad software.
Setting up ACL to deny read access to jpegPhoto is not always feasible, nor it is easily maintainable.
Why not a simple ACL for a group? Do the applications bind anonymously?
A nicer approach would probably to have a hidden jpegPhoto: it would not be sent to a client requesting all attributes, but a client explicitely requesting a set of attribute including jpegPhoto would get it.
I guess you will run into problems with some apps where you do want the jpegPhoto to be displayed.
Ciao, Michael.