[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7649) Feature request: numSubordinates attribute
> Need to think about this some more. While it's true that the back-hdb/mdb
> backends already have this information and can easily provide it, it
> introduces new security concerns that sysadmins would have to be aware of.
> I.e., clients could use numsubordinates to discover the existence of entries
> they are not permitted to access. Which means sysadmins would need to add
> new ACLs specifically for controlling access to numsubordinates.
>
> If we just add the feature, and sysadmins aren't aware it was added, then
> they have a security hole.
That's very true. If it's an operational attribute wouldn't normal
ACLs apply? For example if you are only permitted to see "self" in
ou=Users, then you shouldn't be able to request numSubordinates on
ou=Users or if you do you only see 1.
Thanks.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman,
Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api