[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7649) Feature request: numSubordinates attribute

> Need to think about this some more. While it's true that the back-hdb/mdb
> backends already have this information and can easily provide it, it
> introduces new security concerns that sysadmins would have to be aware of.
> I.e., clients could use numsubordinates to discover the existence of entries
> they are not permitted to access. Which means sysadmins would need to add
> new ACLs specifically for controlling access to numsubordinates.
> If we just add the feature, and sysadmins aren't aware it was added, then
> they have a security hole.

That's very true. If it's an operational attribute wouldn't normal
ACLs apply? For example if you are only permitted to see "self" in
ou=Users, then you shouldn't be able to request numSubordinates on
ou=Users or if you do you only see 1.


Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk

Open Source. Open Solutions(tm).


Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman,
Aberdeenshire, AB51 8GL.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

Do you know we have our own VoIP provider called SureVoIP? See

Did you see our API? http://www.surevoip.co.uk/api