[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enhancement request to control the LDAP search depth per entry



Maryline MAKNAVICIUS-LAURENT wrote:

In the context of a public PKI, we think there is one LDAP function missing to make the certificate publication service usable. Indeed, as it stands, assuming that certificates are needed to be available to anybody (for certificate verification reasons for instance), it is possible for any users to make an exhaustive LDAP search on a particular attribute so that all the certificates of the LDAP basis may be downloaded by the users.

The amount of search results returned can already be limited.

As identifiers within the users'certificates
are usually email addresses, it is then possible to make a list of
current email addresses of the company's employees and uses it for spam.


To prevent that problem, the idea is to authorize access to a subset of
LDAP entries or attributes only if the LDAP request specifies the full
DN. This limitation would be activated on a per entry (or per attribute)
basis.

You mean limit access to an attribute by search scope?

Not sure if that really helps solving the spammer problem since one can make an exhaustive search for retrieving all DNs and ask for the limited attributes afterwards in single search requests. :-/

Also most e-mail clients do not search for the DN and retrieve the attribute 'mail' afterwards. So your approach would make your directory unusable with most mainstream software out there.

Maybe I did get you wrong though...

Ciao, Michael.