[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: search right and attribute existence

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: search right and attribute existence
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 11 Aug 2016 14:36:38 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <20160811121337.GE5402@homeworld.NetBSD.org>
References: <20160811121337.GE5402@homeworld.NetBSD.org>
User-agent: Roundcube Webmail/1.2.0

On 2016-08-11 14:13, Emmanuel Dreyfus wrote:

I would like to test if an attribute is set without disclosing it.
Using an ACL that grants the search right does it: I can do
ldapsearch -b dn attr=*' dn
and see if I get a result.

Problem: it is still possible to brute force the atribute value,
by searching x* with x being the first lette,r, then xy* and so on.

Is there a way to address this?


I don't know your schema, attribute values and requirements.

If it's a custom attribute type disabled the SUBSTR matching rule is theonly solution

in case of DirectoryString or IA5String syntax.

And same issue if attribute type declaration in the schema allowsORDERING searches...


Ciao, Michael.

Follow-Ups:
- Re: search right and attribute existence
  - From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>

References:
- search right and attribute existence
  - From: Emmanuel Dreyfus <manu@netbsd.org>

Prev by Date: search right and attribute existence
Next by Date: Re: search right and attribute existence
Index(es):
- Chronological
- Thread