Need to think about this some more. While it's true that the back-hdb/mdb backends already have this information and can easily provide it, it introduces new security concerns that sysadmins would have to be aware of. I.e., clients could use numsubordinates to discover the existence of entries they are not permitted to access. Which means sysadmins would need to add new ACLs specifically for controlling access to numsubordinates.

If we just add the feature, and sysadmins aren't aware it was added, then they have a security hole.

That's very true. If it's an operational attribute wouldn't normal ACLs apply? For example if you are only permitted to see "self" in ou=Users, then you shouldn't be able to request numSubordinates on ou=Users or if you do you only see 1.

Thanks.