[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: search right and attribute existence

To: Michael Ströder <michael@stroeder.com>
Subject: Re: search right and attribute existence
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 11 Aug 2016 14:56:43 +0200
Cc: Emmanuel Dreyfus <manu@netbsd.org>, openldap-technical@openldap.org
In-reply-to: <7d28fceeddfeb6f3a10af61a3734c110@localhost>
References: <20160811121337.GE5402@homeworld.NetBSD.org> <7d28fceeddfeb6f3a10af61a3734c110@localhost>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2

On 11. aug. 2016 14:36, Michael Ströder wrote:

On 2016-08-11 14:13, Emmanuel Dreyfus wrote:

I would like to test if an attribute is set without disclosing it.
Using an ACL that grants the search right does it: I can do
ldapsearch -b dn attr=*' dn
and see if I get a result.

Problem: it is still possible to brute force the atribute value,
by searching x* with x being the first lette,r, then xy* and so on.

(...)


I don't see how to avoid that.  There is a DISCLOSE access level, but
that's for what to disclose in error situations.  I think I'd maintain
a separate attribute which is TRUE if the original attribute exists.

And same issue if attribute type declaration in the schema allows ORDERING
searches...


Good point, and extended filters can do that without ORDERING in
the attrtype definition.

$ ldapsearch -LLLxh ldap.uio.no -b dc=uio,dc=no -s base \
    '(labeledURI:CaseIgnoreOrderingMatch:=N)' labeledURI
dn: dc=uio,dc=no
labeledURI: http://www.uio.no/

--
Hallvard

Follow-Ups:
- Re: search right and attribute existence
  - From: Michael Ströder <michael@stroeder.com>

References:
- search right and attribute existence
  - From: Emmanuel Dreyfus <manu@netbsd.org>
- Re: search right and attribute existence
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: search right and attribute existence
Next by Date: Re: search right and attribute existence
Index(es):
- Chronological
- Thread