11:36 p.m.
Hello
Many badly designed software fetch all attribute when looking up an user
in the directory, instead of just fetching the one they are interested
in.
My user objects have jpegPhoto attribute, which get fetched with the
whole user object. jpegPhoto are big, so this cause unnescesary load on
the network and LDAP servers and it slows down login process on the bad
software.
Setting up ACL to deny read access to jpegPhoto is not always feasible,
nor it is easily maintainable.
A nicer approach would probably to have a hidden jpegPhoto: it would not
be sent to a client requesting all attributes, but a client explicitely
requesting a set of attribute including jpegPhoto would get it.
AFAIK, there is no way to do that for now. Am I right?
I suspect an overlay would be the right way of implementing it
(slapo-cloak?). Would it be of enough interest to go into
server/slapd/overlays ? If it does, I will contribute it.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
7:20 a.m.
Emmanuel Dreyfus wrote:
Many badly designed software fetch all attribute when looking up an user
in the directory, instead of just fetching the one they are interested
in.
My user objects have jpegPhoto attribute, which get fetched with the
whole user object. jpegPhoto are big, so this cause unnescesary load on
the network and LDAP servers and it slows down login process on the bad
software.
Setting up ACL to deny read access to jpegPhoto is not always feasible,
nor it is easily maintainable.
Why not a simple ACL for a group? Do the applications bind anonymously?
A nicer approach would probably to have a hidden jpegPhoto: it would
not
be sent to a client requesting all attributes, but a client explicitely
requesting a set of attribute including jpegPhoto would get it.
I guess you will run into problems with some apps where you do want the
jpegPhoto to be displayed.
Ciao, Michael.
8:45 a.m.
Michael Ströder <michael(a)stroeder.com> wrote:
Why not a simple ACL for a group? Do the applications bind
anonymously?
Of course it does. I said it was ill-designed :-)
> A nicer approach would probably to have a hidden jpegPhoto: it
would not
> be sent to a client requesting all attributes, but a client explicitely
> requesting a set of attribute including jpegPhoto would get it.
I guess you will run into problems with some apps where you do want the
jpegPhoto to be displayed.
Fortunately, the only apps I have that use the jpegPhoto are wise enough
to provide a set of attributes.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
10:37 a.m.
Emmanuel Dreyfus wrote:
Michael Ströder <michael(a)stroeder.com> wrote:
> Why not a simple ACL for a group? Do the applications bind anonymously?
Of course it does. I said it was ill-designed :-)
>> A nicer approach would probably to have a hidden jpegPhoto: it would not
>> be sent to a client requesting all attributes, but a client explicitely
>> requesting a set of attribute including jpegPhoto would get it.
> I guess you will run into problems with some apps where you do want the
> jpegPhoto to be displayed.
Fortunately, the only apps I have that use the jpegPhoto are wise enough
to provide a set of attributes.
I think what you propose makes sense, I see few cases where it would be
definitely useful. In general, anything gives an administrator the
possibility to tune resource exhaustion sounds welcome. I think an
overlay is the right place.
With respect to your specific problem, you should be able to do
something close to what you need by loading your jpegPhoto as
jpegPhoto;x-mustberequested, then only allow access to this attribute
and not to plain jpegPhoto.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
10:40 a.m.
Pierangelo Masarati wrote:
With respect to your specific problem, you should be able to do
something close to what you need by loading your jpegPhoto as
jpegPhoto;x-mustberequested, then only allow access to this attribute
and not to plain jpegPhoto.
Please disregard: never answer emails while having a snack :)
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
11:30 a.m.
Emmanuel Dreyfus wrote:
Michael Ströder <michael(a)stroeder.com> wrote:
> Why not a simple ACL for a group? Do the applications bind anonymously?
Of course it does. I said it was ill-designed :-)
So why not point these ill-designed apps to a different DSA implemented
by back-ldap with such an ACL?
>> A nicer approach would probably to have a hidden jpegPhoto:
it would not
>> be sent to a client requesting all attributes, but a client explicitely
>> requesting a set of attribute including jpegPhoto would get it.
> I guess you will run into problems with some apps where you do want the
> jpegPhoto to be displayed.
Fortunately, the only apps I have that use the jpegPhoto are wise enough
to provide a set of attributes.
AFAIK commonly used LDAP browsers never explicitly request jpegPhoto
when displaying a *single* entry. My web2ldap explicitly limits the
attrs to be returned when searching mutiple entries for not exhausting
network bandwidth. But explicitly requesting binary attrs when
displaying a single entry does not make sense for a generic LDAP client
application.
Off course if you're not using such application at all you won't have a
problem.
I think it would be interesting if an ACL could distinguish whether the
search request has scope base and grant read access to jpegPhoto only in
this case.
Ciao, Michael.
12:04 p.m.
Michael Ströder wrote:
Emmanuel Dreyfus wrote:
> Michael Ströder <michael(a)stroeder.com> wrote:
>
>> Why not a simple ACL for a group? Do the applications bind anonymously?
> Of course it does. I said it was ill-designed :-)
So why not point these ill-designed apps to a different DSA implemented
by back-ldap with such an ACL?
>>> A nicer approach would probably to have a hidden jpegPhoto: it would not
>>> be sent to a client requesting all attributes, but a client explicitely
>>> requesting a set of attribute including jpegPhoto would get it.
>> I guess you will run into problems with some apps where you do want the
>> jpegPhoto to be displayed.
> Fortunately, the only apps I have that use the jpegPhoto are wise enough
> to provide a set of attributes.
AFAIK commonly used LDAP browsers never explicitly request jpegPhoto
when displaying a *single* entry. My web2ldap explicitly limits the
attrs to be returned when searching mutiple entries for not exhausting
network bandwidth. But explicitly requesting binary attrs when
displaying a single entry does not make sense for a generic LDAP client
application.
Off course if you're not using such application at all you won't have a
problem.
I think it would be interesting if an ACL could distinguish whether the
search request has scope base and grant read access to jpegPhoto only in
this case.
Technically, it would be relatively easy to implement. Theoretically, I
see it relatively critical, because it would imply that a specific
access (read) depends on what operation and operation parameters are
used. Looks a little bit disguising. Note that it doesn't seem to be
in conflict with any specification. As in many cases, no objection to
implementing it, although I would use it with care.
The suggested "feature", on the contrary, seems to be a little bit more
linear: the administrator decides that some attributes (e.g. bandwidth
intensive ones) are not shown by default, unless explicitly requested.
I see a parallel with soft and hard search limits: the soft limit
applies, unless a specifically requested limit is present. In that
case, the requested limit applies, provided it complies with the hard limit.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
5:44 a.m.
Pierangelo Masarati <ando(a)sys-net.it> wrote:
The suggested "feature", on the contrary, seems to be a
little bit more
linear: the administrator decides that some attributes (e.g. bandwidth
intensive ones) are not shown by default, unless explicitly requested.
I see a parallel with soft and hard search limits: the soft limit
applies, unless a specifically requested limit is present. In that
case, the requested limit applies, provided it complies with the hard limit.
I wonder what is the best way of implementing such an overlay:
1) search with attrsonly=1 before the real search
if attribute list is NULL and attrsonly=0 {
perform searches with attrsonly=1
gather le list of returned attributes
filter out the cloaked ones
modify the original search operation to use that attribute set
}
perform the search
2) set a callback on search operations
if attribute list is NULL and attrsonly=0 {
set a callback on search
}
perform the search
if called back {
filter out cloaked attributes
}
Approach one duplicate the search, and it can waste some time, but it
avoid fetching the cloaked attribute. If it is dynamically generated,
there can be some benefit.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
12:07 a.m.
New subject: hide attribute (please review ITS#5872)
Pierangelo Masarati <ando(a)sys-net.it> wrote:
The suggested "feature", on the contrary, seems to be a
little bit more
linear: the administrator decides that some attributes (e.g. bandwidth
intensive ones) are not shown by default, unless explicitly requested.
I see a parallel with soft and hard search limits: the soft limit
applies, unless a specifically requested limit is present. In that
case, the requested limit applies, provided it complies with the hard limit.
Here is slapo-cloak, an overlay to hide selected attribute twhen they
are not explicitely requested.
http://www.openldap.org/its/index.cgi/Incoming?id=5872;page=5
Deeback are welcome.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
12:33 p.m.
Michael Ströder <michael(a)stroeder.com> wrote:
So why not point these ill-designed apps to a different DSA
implemented
by back-ldap with such an ACL?
Yes, that would work. It moves the setup to clients, with might be a bit
more complicated to handle than the server for system administrators:
there can be many clients, some of them you don't manage yourself.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
1:07 p.m.
Emmanuel Dreyfus wrote:
Michael Ströder <michael(a)stroeder.com> wrote:
> So why not point these ill-designed apps to a different DSA implemented
> by back-ldap with such an ACL?
Yes, that would work. It moves the setup to clients, with might be a bit
more complicated to handle than the server for system administrators:
there can be many clients, some of them you don't manage yourself.
=> Use back-ldap based setup for all anon access. Access to the real DSA
only to authenticated clients.
Ciao, Michael.
5384
days inactive
5389
days old
10 comments
3 participants
participants (3)
-
manu@netbsd.org -
Michael Ströder -
Pierangelo Masarati