andrew.findlay@skills-1st.co.uk wrote:
Full_Name: Andrew Findlay Version: HEAD 12 Jan 2009 OS: Linux URL: Submission from: (NULL) (88.97.25.132)
Using ACLs to make a non-leaf object non-disclosable does not protect the subtree beneath that object.
This is not what most people would expect (if I cannot see a given object then I would not expect to see things underneath it). It also provides a handy attack on supposedly non-detectable entries.
For example, if I have a DIT like this:
dc=example,dc=org--+ +--dc=a--+ | +--dc=people--+ | +--cn=a1 | +--dc=b--+ +--dc=people--+ +--cn=b1
and I give read access on dc=example,dc=org (base) and on dc=a,dc=example,dc=org (subtree) and dc=people,dc=b,dc=example,dc=org (subtree) but no access at all on dc=b,dc=example,dc=org then I would not expect to be able to read the cn=b1 entry, as doing so would expose the existence of dc=b.
What actually happens is that any attempt to read dc=b itself returns correctly as if the entry does not exist, but a simple subtree search happily returns cn=b1.
Which is the natural outcome of granting read access to the dc=people subtree.
If you want the server's behavior to make sense, then give it ACLs that make sense.