[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: schema definition precedence

Today at 1:22pm, Michael Ströder wrote:

> Frank Swasey wrote:
> > 
> > Another example is uid, which is a security hole the size of Texas -- 
> > allowing substring matches so spammers can grab all your addresses!  If 
> > you want to use uid (and not have to redefine [like I am about to] every 
> > objectClass that uses uid), you HAVE to modify it to remove substring 
> > searches or you become a spam magnet.
> Nope. That's a matter of proper access control and indexing/limit settings, 
> hence a matter of server configuration not schema design.

Right... so I'm to provide a public directory that must allow search for 
uid by anonymous bind (or Netscape, outlook express, etc fail) and 
because I limit it to 50 hits per search, that somehow protects me 
against spammers who can do multiple searches???  Bzzzzt!  But thanks 
for playing....  

Or are you saying that by not providing substring indexing on uid that
the extra load placed on my server is going to slow everything down
enough that I'll get fired and won't have to worry about this anymore?  

Practically, I believe you that by making it more difficult spammers 
will go elsewhere (where they don't have to work hard to reap lots of 
addresses).  However, that doesn't mean that they can't do it.  Since 
the persistant bastard can do it I am required to prevent it.  The 
method I chose was to NOT use uid, but to define my own local attribute.  
Now, I'm being asked to provide other objectClasses (account or 
posixaccount) which really WANT uid.... I am not pleased with the 
quagmire I find myself in.

I haven't yet decided how I'm going to deal with this.  But one of the 
contenders is to screw with the uid attribute definition and use it 
instead of my local attribute.

Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===