[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: hide attribute

Emmanuel Dreyfus wrote:
> Many badly designed software fetch all attribute when looking up an user
> in the directory, instead of just fetching the one they are interested
> in.
> My user objects have jpegPhoto attribute, which get fetched with the
> whole user object. jpegPhoto are big, so this cause unnescesary load on
> the network and LDAP servers and it slows down login process on the bad
> software.
> Setting up ACL to deny read access to jpegPhoto is not always feasible,
> nor it is easily maintainable.

Why not a simple ACL for a group? Do the applications bind anonymously?

> A nicer approach would probably to have a hidden jpegPhoto: it would not
> be sent to a client requesting all attributes, but a client explicitely
> requesting a set of attribute including jpegPhoto would get it.

I guess you will run into problems with some apps where you do want the
jpegPhoto to be displayed.

Ciao, Michael.