[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: hide attribute

To: Michael Ströder <michael@stroeder.com>
Subject: Re: hide attribute
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 20 Dec 2008 21:04:40 +0100
Cc: Emmanuel Dreyfus <manu@netbsd.org>, openldap-devel@openldap.org
In-reply-to: <494D47E3.2080007@stroeder.com>
References: <1is9d90.1pejm5e1x2i5drM%manu@netbsd.org> <494D47E3.2080007@stroeder.com>
User-agent: Thunderbird 2.0.0.17 (X11/20081001)

Michael Ströder wrote:

Emmanuel Dreyfus wrote:

Michael Ströder <michael@stroeder.com> wrote:
Why not a simple ACL for a group? Do the applications bind anonymously?
Of course it does. I said it was ill-designed :-)


So why not point these ill-designed apps to a different DSA implemented
by back-ldap with such an ACL?

A nicer approach would probably to have a hidden jpegPhoto: it would not
be sent to a client requesting all attributes, but a client explicitely
requesting a set of attribute including jpegPhoto would get it.

I guess you will run into problems with some apps where you do want the
jpegPhoto to be displayed.

Fortunately, the only apps I have that use the jpegPhoto are wise enough
to provide a set of attributes.


AFAIK commonly used LDAP browsers never explicitly request jpegPhoto
when displaying a *single* entry. My web2ldap explicitly limits the
attrs to be returned when searching mutiple entries for not exhausting
network bandwidth. But explicitly requesting binary attrs when
displaying a single entry does not make sense for a generic LDAP client
application.

Off course if you're not using such application at all you won't have a
problem.

I think it would be interesting if an ACL could distinguish whether the
search request has scope base and grant read access to jpegPhoto only in
this case.

Technically, it would be relatively easy to implement. Theoretically, I see it relatively critical, because it would imply that a specific access (read) depends on what operation and operation parameters are used. Looks a little bit disguising. Note that it doesn't seem to be in conflict with any specification. As in many cases, no objection to implementing it, although I would use it with care.

The suggested "feature", on the contrary, seems to be a little bit more linear: the administrator decides that some attributes (e.g. bandwidth intensive ones) are not shown by default, unless explicitly requested. I see a parallel with soft and hard search limits: the soft limit applies, unless a specifically requested limit is present. In that case, the requested limit applies, provided it complies with the hard limit.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- Re: hide attribute
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: hide attribute (please review ITS#5872)
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Re: hide attribute
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: hide attribute
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: hide attribute
Next by Date: Re: hide attribute
Index(es):
- Chronological
- Thread