Emmanuel Dreyfus wrote:
Michael Ströder michael@stroeder.com wrote:
Why not a simple ACL for a group? Do the applications bind anonymously?
Of course it does. I said it was ill-designed :-)
A nicer approach would probably to have a hidden jpegPhoto: it would not be sent to a client requesting all attributes, but a client explicitely requesting a set of attribute including jpegPhoto would get it.
I guess you will run into problems with some apps where you do want the jpegPhoto to be displayed.
Fortunately, the only apps I have that use the jpegPhoto are wise enough to provide a set of attributes.
I think what you propose makes sense, I see few cases where it would be definitely useful. In general, anything gives an administrator the possibility to tune resource exhaustion sounds welcome. I think an overlay is the right place.
With respect to your specific problem, you should be able to do something close to what you need by loading your jpegPhoto as jpegPhoto;x-mustberequested, then only allow access to this attribute and not to plain jpegPhoto.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------