[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: schema definition precedence

Michael Ströder wrote:
If you don't have any possibility to limit access by ACLs then don't publish all the e-mail addresses or you have to live with e-mail addresses being public.
Either your directory is public or not.

This raises a question that interests and concerns me. There is very little protecting the information in public directories. I could pretty much get at all the info just using the protocol in these examples:


I'm most definitely not a spammer, but I could've been. With spam growing from nuisance to massive problem, is there a growing sense that public directories with contact information are a risky or unadvisable proposition? Are there tales of abuse? On a different note, what about launching searches on unindexed attributes as a DOS threat?

I don't see it as the only viable topology, but one of the reasons I like my current setup is because I don't have to worry about anybody outside my firewalled environment communicating directly to the LDAP server. Everything must go through port 80, and hence my own software's access control filters. The directory ACLs and limits are still in place, but you can't look at a branch of the directory unless I give you an interface. A DCE style project is in the works, though, so I'd be interested to hear testimony on "protecting" public server data beyond access control directives.

Jon Roberts