[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: hide attribute

Michael Ströder wrote:
Emmanuel Dreyfus wrote:
Michael Ströder <michael@stroeder.com> wrote:

Why not a simple ACL for a group? Do the applications bind anonymously?
Of course it does. I said it was ill-designed :-)

So why not point these ill-designed apps to a different DSA implemented by back-ldap with such an ACL?

A nicer approach would probably to have a hidden jpegPhoto: it would not
be sent to a client requesting all attributes, but a client explicitely
requesting a set of attribute including jpegPhoto would get it.
I guess you will run into problems with some apps where you do want the
jpegPhoto to be displayed.
Fortunately, the only apps I have that use the jpegPhoto are wise enough
to provide a set of attributes.

AFAIK commonly used LDAP browsers never explicitly request jpegPhoto when displaying a *single* entry. My web2ldap explicitly limits the attrs to be returned when searching mutiple entries for not exhausting network bandwidth. But explicitly requesting binary attrs when displaying a single entry does not make sense for a generic LDAP client application.

Off course if you're not using such application at all you won't have a

I think it would be interesting if an ACL could distinguish whether the
search request has scope base and grant read access to jpegPhoto only in
this case.

Technically, it would be relatively easy to implement. Theoretically, I see it relatively critical, because it would imply that a specific access (read) depends on what operation and operation parameters are used. Looks a little bit disguising. Note that it doesn't seem to be in conflict with any specification. As in many cases, no objection to implementing it, although I would use it with care.

The suggested "feature", on the contrary, seems to be a little bit more linear: the administrator decides that some attributes (e.g. bandwidth intensive ones) are not shown by default, unless explicitly requested. I see a parallel with soft and hard search limits: the soft limit applies, unless a specifically requested limit is present. In that case, the requested limit applies, provided it complies with the hard limit.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it