[email protected] wrote: > Full_Name: Andrew Findlay > Version: HEAD 12 Jan 2009 > OS: Linux > URL: > Submission from: (NULL) (88.97.25.132) > > > Using ACLs to make a non-leaf object non-disclosable does not protect > the subtree beneath that object. > > This is not what most people would expect (if I cannot see a given object > then I would not expect to see things underneath it). It also provides > a handy attack on supposedly non-detectable entries. > > For example, if I have a DIT like this: > > dc=example,dc=org--+ > +--dc=a--+ > | +--dc=people--+ > | +--cn=a1 > | > +--dc=b--+ > +--dc=people--+ > +--cn=b1 > > and I give read access on dc=example,dc=org (base) > and on dc=a,dc=example,dc=org (subtree) > and dc=people,dc=b,dc=example,dc=org (subtree) > but no access at all on dc=b,dc=example,dc=org > then I would not expect to be able to read the cn=b1 entry, as doing so would > expose the existence of dc=b. > > What actually happens is that any attempt to read dc=b itself returns > correctly as if the entry does not exist, but a simple subtree search > happily returns cn=b1.
Which is the natural outcome of granting read access to the dc=people subtree. If you want the server's behavior to make sense, then give it ACLs that make sense. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
