Full_Name: Gavin Henry Version: OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (212.159.59.85) Submitted by: ghenry Dear all, It would be great if we supported a numSubordinates attribute so you can request a count of the number of entries say at a base of ou=suretec.hosted.surevoip.co.uk,ou=Contacts,dc=surevoip,dc=co,dc=uk rather than retrieve them all and count them up. I know there is a contrib noopsrch overlay that others are using. The only reference I can see that other directories has is based on this: http://tools.ietf.org/html/draft-ietf-boreham-numsubordinates-01 Thanks, Gavin.
ghenry@OpenLDAP.org wrote: > Full_Name: Gavin Henry > Version: > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (212.159.59.85) > Submitted by: ghenry > > > Dear all, > > It would be great if we supported a numSubordinates attribute so you can request > a count of the number of entries say at a base of > ou=suretec.hosted.surevoip.co.uk,ou=Contacts,dc=surevoip,dc=co,dc=uk rather than > retrieve them all and count them up. I know there is a contrib noopsrch overlay > that others are using. > > The only reference I can see that other directories has is based on this: > > http://tools.ietf.org/html/draft-ietf-boreham-numsubordinates-01 Need to think about this some more. While it's true that the back-hdb/mdb backends already have this information and can easily provide it, it introduces new security concerns that sysadmins would have to be aware of. I.e., clients could use numsubordinates to discover the existence of entries they are not permitted to access. Which means sysadmins would need to add new ACLs specifically for controlling access to numsubordinates. If we just add the feature, and sysadmins aren't aware it was added, then they have a security hole. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
> Need to think about this some more. While it's true that the back-hdb/mdb > backends already have this information and can easily provide it, it > introduces new security concerns that sysadmins would have to be aware of. > I.e., clients could use numsubordinates to discover the existence of entries > they are not permitted to access. Which means sysadmins would need to add > new ACLs specifically for controlling access to numsubordinates. > > If we just add the feature, and sysadmins aren't aware it was added, then > they have a security hole. That's very true. If it's an operational attribute wouldn't normal ACLs apply? For example if you are only permitted to see "self" in ou=Users, then you shouldn't be able to request numSubordinates on ou=Users or if you do you only see 1. Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretec.co.uk Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk Did you see our API? http://www.surevoip.co.uk/api
On Fri, 26 Jul 2013 15:03:41 GMT hyc@symas.com wrote > Need to think about this some more. While it's true that the back-hdb/mdb > backends already have this information and can easily provide it, it > introduces new security concerns that sysadmins would have to be aware of. > I.e., clients could use numsubordinates to discover the existence of entries > they are not permitted to access. Which means sysadmins would need to add new > ACLs specifically for controlling access to numsubordinates. > > If we just add the feature, and sysadmins aren't aware it was added, then > they have a security hole. True, but not really a new security consideration for an admin. We already have 'hasSubordinates' anyway. And for whatever new operational attribute introduced in former times the admin was considered responsible to restrict access by appropriate ACLs. I also find such an attribute to be very useful in some use-cases. Another aspect is how searches like (numSubordinates>=1) can be efficiently handled, e.g. in cases where most entries will have numSubordinates=0. Yes, I admit I use it for count-like searches where using no-op search control is too expensive. Ciao, Michael.
moved from Incoming to Software Enhancements
https://datatracker.ietf.org/doc/html/draft-boreham-numsubordinates-01