Many badly designed software fetch all attribute when looking up an user
in the directory, instead of just fetching the one they are interested
My user objects have jpegPhoto attribute, which get fetched with the
whole user object. jpegPhoto are big, so this cause unnescesary load on
the network and LDAP servers and it slows down login process on the bad
Setting up ACL to deny read access to jpegPhoto is not always feasible,
nor it is easily maintainable.
A nicer approach would probably to have a hidden jpegPhoto: it would not
be sent to a client requesting all attributes, but a client explicitely
requesting a set of attribute including jpegPhoto would get it.
AFAIK, there is no way to do that for now. Am I right?
I suspect an overlay would be the right way of implementing it
(slapo-cloak?). Would it be of enough interest to go into
server/slapd/overlays ? If it does, I will contribute it.