[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7649) Feature request: numSubordinates attribute

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7649) Feature request: numSubordinates attribute
From: ghenry@OpenLDAP.org
Date: Fri, 26 Jul 2013 15:09:33 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

> Need to think about this some more. While it's true that the back-hdb/mdb
> backends already have this information and can easily provide it, it
> introduces new security concerns that sysadmins would have to be aware of.
> I.e., clients could use numsubordinates to discover the existence of entries
> they are not permitted to access. Which means sysadmins would need to add
> new ACLs specifically for controlling access to numsubordinates.
>
> If we just add the feature, and sysadmins aren't aware it was added, then
> they have a security hole.

That's very true. If it's an operational attribute wouldn't normal
ACLs apply? For example if you are only permitted to see "self" in
ou=Users, then you shouldn't be able to request numSubordinates on
ou=Users or if you do you only see 1.

Thanks.

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman,
Inverurie,
Aberdeenshire, AB51 8GL.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk

Did you see our API? http://www.surevoip.co.uk/api

Prev by Date: Re: (ITS#7649) Feature request: numSubordinates attribute
Next by Date: Re: (ITS#7649) Feature request: numSubordinates attribute
Index(es):
- Chronological
- Thread