[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7649) Feature request: numSubordinates attribute
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7649) Feature request: numSubordinates attribute
- From: hyc@symas.com
- Date: Fri, 26 Jul 2013 15:03:41 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
ghenry@OpenLDAP.org wrote:
> Full_Name: Gavin Henry
> Version:
> OS:
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (212.159.59.85)
> Submitted by: ghenry
>
>
> Dear all,
>
> It would be great if we supported a numSubordinates attribute so you can request
> a count of the number of entries say at a base of
> ou=suretec.hosted.surevoip.co.uk,ou=Contacts,dc=surevoip,dc=co,dc=uk rather than
> retrieve them all and count them up. I know there is a contrib noopsrch overlay
> that others are using.
>
> The only reference I can see that other directories has is based on this:
>
> http://tools.ietf.org/html/draft-ietf-boreham-numsubordinates-01
Need to think about this some more. While it's true that the back-hdb/mdb
backends already have this information and can easily provide it, it
introduces new security concerns that sysadmins would have to be aware of.
I.e., clients could use numsubordinates to discover the existence of entries
they are not permitted to access. Which means sysadmins would need to add new
ACLs specifically for controlling access to numsubordinates.
If we just add the feature, and sysadmins aren't aware it was added, then they
have a security hole.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/