Michael Ströder wrote:
Emmanuel Dreyfus wrote:
> Michael Ströder <michael(a)stroeder.com> wrote:
>> Why not a simple ACL for a group? Do the applications bind anonymously?
> Of course it does. I said it was ill-designed :-)
So why not point these ill-designed apps to a different DSA implemented
by back-ldap with such an ACL?
>>> A nicer approach would probably to have a hidden jpegPhoto: it would not
>>> be sent to a client requesting all attributes, but a client explicitely
>>> requesting a set of attribute including jpegPhoto would get it.
>> I guess you will run into problems with some apps where you do want the
>> jpegPhoto to be displayed.
> Fortunately, the only apps I have that use the jpegPhoto are wise enough
> to provide a set of attributes.
AFAIK commonly used LDAP browsers never explicitly request jpegPhoto
when displaying a *single* entry. My web2ldap explicitly limits the
attrs to be returned when searching mutiple entries for not exhausting
network bandwidth. But explicitly requesting binary attrs when
displaying a single entry does not make sense for a generic LDAP client
Off course if you're not using such application at all you won't have a
I think it would be interesting if an ACL could distinguish whether the
search request has scope base and grant read access to jpegPhoto only in
Technically, it would be relatively easy to implement. Theoretically, I
see it relatively critical, because it would imply that a specific
access (read) depends on what operation and operation parameters are
used. Looks a little bit disguising. Note that it doesn't seem to be
in conflict with any specification. As in many cases, no objection to
implementing it, although I would use it with care.
The suggested "feature", on the contrary, seems to be a little bit more
linear: the administrator decides that some attributes (e.g. bandwidth
intensive ones) are not shown by default, unless explicitly requested.
I see a parallel with soft and hard search limits: the soft limit
applies, unless a specifically requested limit is present. In that
case, the requested limit applies, provided it complies with the hard limit.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497