[Date Prev][Date Next] [Chronological] [Thread] [Top]

Enhancement request to control the LDAP search depth per entry

To: OpenLDAP-devel@OpenLDAP.org
Subject: Enhancement request to control the LDAP search depth per entry
From: Maryline MAKNAVICIUS-LAURENT <maryline.maknavicius@int-evry.fr>
Date: Thu, 11 Dec 2003 14:56:16 +0100
Cc: michel <michel.gardie@int-evry.fr>
References: <3FD8547D.57E58CBD@int-evry.fr>

My name is Maryline Maknavicius from INT (French Institute of
Telecommunications). I met Mr Zeilenga and some OpenLDAP members during
the IETF meeting in Vienna last July, and I was invited to attend the
OpenLDAP meeting there. Mr Zeilenga told me to submit as an ITS the idea
of increasing OpenLDAP functions with an access control based on the
LDAP search depth. Prior to submitting an ITS, I prefer discussing the
idea on a mailing list, and I hope the OPENLDAP-devel list is the
appropriate one. As I am not familiar with the OPENLDAP organization
working, please let me know if I am wrong or if I should submit that
proposal else where.

 
I currently work on a project named CADDISC which aims to publish public
key certificates using both LDAP and DNSsec (security extension for DNS)
directories. The aim is to provide a two-level PKI, a global one based
on DNSsec, and a local one (companies, schools) using LDAP. The idea is
that anybody can check any certificate on the Internet. For further
information, please refer to the following web site:
http://www-lor.int-evry.fr/~maknavic/CADDISC/Caddisc-eng.html

In the context of a public PKI, we think there is one LDAP function
missing to make the certificate publication service usable. Indeed, as
it stands, assuming that certificates are needed to be available to
anybody (for certificate verification reasons for instance), it is
possible for any users to make an exhaustive LDAP search on a particular
attribute so that all the certificates of the LDAP basis may be
downloaded by the users. As identifiers within the users'certificates
are usually email addresses, it is then possible to make a list of
current email addresses of the company's employees and uses it for spam. 

To prevent that problem, the idea is to authorize access to a subset of
LDAP entries or attributes only if the LDAP request specifies the full
DN. This limitation would be activated on a per entry (or per attribute)
basis. 

If the OpenLDAP team already implemented that function or has
suggestions, please let me know.
Thanks for your help

Maryline Maknavicius
GET/INT

Follow-Ups:
- Re: Enhancement request to control the LDAP search depth per entry
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: HEADS UP: API error code changes
Next by Date: Re: Enhancement request to control the LDAP search depth per entry
Index(es):
- Chronological
- Thread