On Fri, 26 Jul 2013 15:03:41 GMT hyc(a)symas.com wrote
> Need to think about this some more. While it's true that the back-hdb/mdb
> backends already have this information and can easily provide it, it
> introduces new security concerns that sysadmins would have to be aware of.
> I.e., clients could use numsubordinates to discover the existence of entries
> they are not permitted to access. Which means sysadmins would need to add new
> ACLs specifically for controlling access to numsubordinates.
>
> If we just add the feature, and sysadmins aren't aware it was added, then
> they have a security hole.
True, but not really a new security consideration for an admin.
We already have 'hasSubordinates' anyway.
And for whatever new operational attribute introduced in former times the admin
was considered responsible to restrict access by appropriate ACLs.
I also find such an attribute to be very useful in some use-cases.
Another aspect is how searches like (numSubordinates>=1) can be efficiently
handled, e.g. in cases where most entries will have numSubordinates=0. Yes, I
admit I use it for count-like searches where using no-op search control is too
expensive.
Ciao, Michael.