Emmanuel Dreyfus wrote:
Many badly designed software fetch all attribute when looking up an user
in the directory, instead of just fetching the one they are interested
My user objects have jpegPhoto attribute, which get fetched with the
whole user object. jpegPhoto are big, so this cause unnescesary load on
the network and LDAP servers and it slows down login process on the bad
Setting up ACL to deny read access to jpegPhoto is not always feasible,
nor it is easily maintainable.
Why not a simple ACL for a group? Do the applications bind anonymously?
A nicer approach would probably to have a hidden jpegPhoto: it would
be sent to a client requesting all attributes, but a client explicitely
requesting a set of attribute including jpegPhoto would get it.
I guess you will run into problems with some apps where you do want the
jpegPhoto to be displayed.