> Need to think about this some more. While it's true that the back-hdb/mdb > backends already have this information and can easily provide it, it > introduces new security concerns that sysadmins would have to be aware of. > I.e., clients could use numsubordinates to discover the existence of entries > they are not permitted to access. Which means sysadmins would need to add > new ACLs specifically for controlling access to numsubordinates. > > If we just add the feature, and sysadmins aren't aware it was added, then > they have a security hole.
That's very true. If it's an operational attribute wouldn't normal ACLs apply? For example if you are only permitted to see "self" in ou=Users, then you shouldn't be able to request numSubordinates on ou=Users or if you do you only see 1. Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E [email protected] Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk Did you see our API? http://www.surevoip.co.uk/api
