Michael Ströder wrote:
Emmanuel Dreyfus wrote:
Michael Ströder michael@stroeder.com wrote:
Why not a simple ACL for a group? Do the applications bind anonymously?
Of course it does. I said it was ill-designed :-)
So why not point these ill-designed apps to a different DSA implemented by back-ldap with such an ACL?
A nicer approach would probably to have a hidden jpegPhoto: it would not be sent to a client requesting all attributes, but a client explicitely requesting a set of attribute including jpegPhoto would get it.
I guess you will run into problems with some apps where you do want the jpegPhoto to be displayed.
Fortunately, the only apps I have that use the jpegPhoto are wise enough to provide a set of attributes.
AFAIK commonly used LDAP browsers never explicitly request jpegPhoto when displaying a *single* entry. My web2ldap explicitly limits the attrs to be returned when searching mutiple entries for not exhausting network bandwidth. But explicitly requesting binary attrs when displaying a single entry does not make sense for a generic LDAP client application.
Off course if you're not using such application at all you won't have a problem.
I think it would be interesting if an ACL could distinguish whether the search request has scope base and grant read access to jpegPhoto only in this case.
Technically, it would be relatively easy to implement. Theoretically, I see it relatively critical, because it would imply that a specific access (read) depends on what operation and operation parameters are used. Looks a little bit disguising. Note that it doesn't seem to be in conflict with any specification. As in many cases, no objection to implementing it, although I would use it with care.
The suggested "feature", on the contrary, seems to be a little bit more linear: the administrator decides that some attributes (e.g. bandwidth intensive ones) are not shown by default, unless explicitly requested. I see a parallel with soft and hard search limits: the soft limit applies, unless a specifically requested limit is present. In that case, the requested limit applies, provided it complies with the hard limit.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------