[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: hide attribute

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: hide attribute
From: Michael Ströder <michael@stroeder.com>
Date: Sat, 20 Dec 2008 16:20:38 +0100
Cc: openldap-devel@openldap.org
In-reply-to: <1is8nhd.1ynucf0y8wb7nM%manu@netbsd.org>
References: <1is8nhd.1ynucf0y8wb7nM%manu@netbsd.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14

Emmanuel Dreyfus wrote:
> 
> Many badly designed software fetch all attribute when looking up an user
> in the directory, instead of just fetching the one they are interested
> in.
> 
> My user objects have jpegPhoto attribute, which get fetched with the
> whole user object. jpegPhoto are big, so this cause unnescesary load on
> the network and LDAP servers and it slows down login process on the bad
> software.
> 
> Setting up ACL to deny read access to jpegPhoto is not always feasible,
> nor it is easily maintainable.

Why not a simple ACL for a group? Do the applications bind anonymously?

> A nicer approach would probably to have a hidden jpegPhoto: it would not
> be sent to a client requesting all attributes, but a client explicitely
> requesting a set of attribute including jpegPhoto would get it.

I guess you will run into problems with some apps where you do want the
jpegPhoto to be displayed.

Ciao, Michael.

Follow-Ups:
- Re: hide attribute
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- hide attribute
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: hide attribute
Next by Date: Re: hide attribute
Index(es):
- Chronological
- Thread