Hello
Many badly designed software fetch all attribute when looking up an user in the directory, instead of just fetching the one they are interested in.
My user objects have jpegPhoto attribute, which get fetched with the whole user object. jpegPhoto are big, so this cause unnescesary load on the network and LDAP servers and it slows down login process on the bad software.
Setting up ACL to deny read access to jpegPhoto is not always feasible, nor it is easily maintainable.
A nicer approach would probably to have a hidden jpegPhoto: it would not be sent to a client requesting all attributes, but a client explicitely requesting a set of attribute including jpegPhoto would get it.
AFAIK, there is no way to do that for now. Am I right?
I suspect an overlay would be the right way of implementing it (slapo-cloak?). Would it be of enough interest to go into server/slapd/overlays ? If it does, I will contribute it.