Emmanuel Dreyfus wrote: > Michael Ströder <[email protected]> wrote: > >> Why not a simple ACL for a group? Do the applications bind anonymously? > > Of course it does. I said it was ill-designed :-)
So why not point these ill-designed apps to a different DSA implemented by back-ldap with such an ACL? >>> A nicer approach would probably to have a hidden jpegPhoto: it would not >>> be sent to a client requesting all attributes, but a client explicitely >>> requesting a set of attribute including jpegPhoto would get it. >> I guess you will run into problems with some apps where you do want the >> jpegPhoto to be displayed. > > Fortunately, the only apps I have that use the jpegPhoto are wise enough > to provide a set of attributes. AFAIK commonly used LDAP browsers never explicitly request jpegPhoto when displaying a *single* entry. My web2ldap explicitly limits the attrs to be returned when searching mutiple entries for not exhausting network bandwidth. But explicitly requesting binary attrs when displaying a single entry does not make sense for a generic LDAP client application. Off course if you're not using such application at all you won't have a problem. I think it would be interesting if an ACL could distinguish whether the search request has scope base and grant read access to jpegPhoto only in this case. Ciao, Michael.
