Emmanuel Dreyfus wrote: > > Many badly designed software fetch all attribute when looking up an user > in the directory, instead of just fetching the one they are interested > in. > > My user objects have jpegPhoto attribute, which get fetched with the > whole user object. jpegPhoto are big, so this cause unnescesary load on > the network and LDAP servers and it slows down login process on the bad > software. > > Setting up ACL to deny read access to jpegPhoto is not always feasible, > nor it is easily maintainable.
Why not a simple ACL for a group? Do the applications bind anonymously? > A nicer approach would probably to have a hidden jpegPhoto: it would not > be sent to a client requesting all attributes, but a client explicitely > requesting a set of attribute including jpegPhoto would get it. I guess you will run into problems with some apps where you do want the jpegPhoto to be displayed. Ciao, Michael.
