[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5872) slapo-cloak

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5872) slapo-cloak
From: michael@stroeder.com
Date: Mon, 29 Dec 2008 13:30:12 GMT

ando@sys-net.it wrote:
> Hallvard B Furuseth wrote:
>> ando@sys-net.it writes:
>>> On a related note, if this can be considered of general usefulness, LDAP 
>>> specs would need to be changed in order to define a finer grain of 
>>> attribute request; something like:
>>>
>>> empty or "*" ; all user, except attrs that need to be explicitly req.
>>> "+" ; all operational
>>> <all including attrs that need to be explicitly requested>
>>> <...>
>> Would it be cleaner if slapo-cloak redefines the attributes to be
>> operational, or to behave as if they are?  Maybe give them an
>> X-AS-OPERATIONAL extension?  Or would that just mess up schema code,
>> things like attribute inheritance?
> 
> I think things would mess up.

I'd also recommend *not* to turn user attribute types into operational
attribute types. This would certainly confuse schema-aware clients.

> Moreover, I see a number of features system administrators could ask 
> for; e.g. hide attributes only when matching a URI (base, scope, 
> filter),

Well, that's something many overlays would benefit from.

> or based on size limit,

???

> or based on client's identity and so.

That would be similar (not equal) to using ACLs. That was explicitly not
the case in the original inquiry.

Ciao, Michael.

Prev by Date: Re: (ITS#5876) Build fix: ODBC
Next by Date: Re: (ITS#5872) slapo-cloak
Index(es):
- Chronological
- Thread