ghenry@OpenLDAP.org wrote:
Full_Name: Gavin Henry Version: OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (212.159.59.85) Submitted by: ghenry
Dear all,
It would be great if we supported a numSubordinates attribute so you can request a count of the number of entries say at a base of ou=suretec.hosted.surevoip.co.uk,ou=Contacts,dc=surevoip,dc=co,dc=uk rather than retrieve them all and count them up. I know there is a contrib noopsrch overlay that others are using.
The only reference I can see that other directories has is based on this:
http://tools.ietf.org/html/draft-ietf-boreham-numsubordinates-01
Need to think about this some more. While it's true that the back-hdb/mdb backends already have this information and can easily provide it, it introduces new security concerns that sysadmins would have to be aware of. I.e., clients could use numsubordinates to discover the existence of entries they are not permitted to access. Which means sysadmins would need to add new ACLs specifically for controlling access to numsubordinates.
If we just add the feature, and sysadmins aren't aware it was added, then they have a security hole.