[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7649) Feature request: numSubordinates attribute

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7649) Feature request: numSubordinates attribute
From: hyc@symas.com
Date: Fri, 26 Jul 2013 15:03:41 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

ghenry@OpenLDAP.org wrote:
> Full_Name: Gavin Henry
> Version:
> OS:
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (212.159.59.85)
> Submitted by: ghenry
>
>
> Dear all,
>
> It would be great if we supported a numSubordinates attribute so you can request
> a count of the number of entries say at a base of
> ou=suretec.hosted.surevoip.co.uk,ou=Contacts,dc=surevoip,dc=co,dc=uk rather than
> retrieve them all and count them up. I know there is a contrib noopsrch overlay
> that others are using.
>
> The only reference I can see that other directories has is based on this:
>
> http://tools.ietf.org/html/draft-ietf-boreham-numsubordinates-01

Need to think about this some more. While it's true that the back-hdb/mdb 
backends already have this information and can easily provide it, it 
introduces new security concerns that sysadmins would have to be aware of. 
I.e., clients could use numsubordinates to discover the existence of entries 
they are not permitted to access. Which means sysadmins would need to add new 
ACLs specifically for controlling access to numsubordinates.

If we just add the feature, and sysadmins aren't aware it was added, then they 
have a security hole.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#7649) Feature request: numSubordinates attribute
Next by Date: Re: (ITS#7649) Feature request: numSubordinates attribute
Index(es):
- Chronological
- Thread