[Date Prev][Date Next]
Re: schema definition precedence
Today at 1:22pm, Michael Ströder wrote:
> Frank Swasey wrote:
> > Another example is uid, which is a security hole the size of Texas --
> > allowing substring matches so spammers can grab all your addresses! If
> > you want to use uid (and not have to redefine [like I am about to] every
> > objectClass that uses uid), you HAVE to modify it to remove substring
> > searches or you become a spam magnet.
> Nope. That's a matter of proper access control and indexing/limit settings,
> hence a matter of server configuration not schema design.
Right... so I'm to provide a public directory that must allow search for
uid by anonymous bind (or Netscape, outlook express, etc fail) and
because I limit it to 50 hits per search, that somehow protects me
against spammers who can do multiple searches??? Bzzzzt! But thanks
Or are you saying that by not providing substring indexing on uid that
the extra load placed on my server is going to slow everything down
enough that I'll get fired and won't have to worry about this anymore?
Practically, I believe you that by making it more difficult spammers
will go elsewhere (where they don't have to work hard to reap lots of
addresses). However, that doesn't mean that they can't do it. Since
the persistant bastard can do it I am required to prevent it. The
method I chose was to NOT use uid, but to define my own local attribute.
Now, I'm being asked to provide other objectClasses (account or
posixaccount) which really WANT uid.... I am not pleased with the
quagmire I find myself in.
I haven't yet decided how I'm going to deal with this. But one of the
contenders is to screw with the uid attribute definition and use it
instead of my local attribute.
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God Bless Us All ===