[email protected] wrote: > Full_Name: Gavin Henry > Version: > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (212.159.59.85) > Submitted by: ghenry > > > Dear all, > > It would be great if we supported a numSubordinates attribute so you can > request > a count of the number of entries say at a base of > ou=suretec.hosted.surevoip.co.uk,ou=Contacts,dc=surevoip,dc=co,dc=uk rather > than > retrieve them all and count them up. I know there is a contrib noopsrch > overlay > that others are using. > > The only reference I can see that other directories has is based on this: > > http://tools.ietf.org/html/draft-ietf-boreham-numsubordinates-01
Need to think about this some more. While it's true that the back-hdb/mdb backends already have this information and can easily provide it, it introduces new security concerns that sysadmins would have to be aware of. I.e., clients could use numsubordinates to discover the existence of entries they are not permitted to access. Which means sysadmins would need to add new ACLs specifically for controlling access to numsubordinates. If we just add the feature, and sysadmins aren't aware it was added, then they have a security hole. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
