Re: schema definition precedence

[Jon Roberts <jon@mentata.com>]

Michael Ströder wrote:
> If you don't have any possibility to limit access by ACLs then don't 
> publish all the e-mail addresses or you have to live with e-mail 
> addresses being public.
...
> Either your directory is public or not.

This raises a question that interests and concerns me. There is very 
little protecting the information in public directories. I could pretty 
much get at all the info just using the protocol in these examples:

http://www.mentata.com/ldaphttp/examples/bigten/

I'm most definitely not a spammer, but I could've been. With spam 
growing from nuisance to massive problem, is there a growing sense that 
public directories with contact information are a risky or unadvisable 
proposition? Are there tales of abuse? On a different note, what about 
launching searches on unindexed attributes as a DOS threat?

I don't see it as the only viable topology, but one of the reasons I 
like my current setup is because I don't have to worry about anybody 
outside my firewalled environment communicating directly to the LDAP 
server. Everything must go through port 80, and hence my own software's 
access control filters. The directory ACLs and limits are still in 
place, but you can't look at a branch of the directory unless I give you 
an interface. A DCE style project is in the works, though, so I'd be 
interested to hear testimony on "protecting" public server data beyond 
access control directives.

Jon Roberts
www.mentata.com