Re: search right and attribute existence

Michael Ströder michael@stroeder.com wrote:

To deal with brute-force attempts you have to establish central logging with appropriate log watchers which alarm you in case of a brute-force attack.

What about this line of defense?

overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchFilter rwm-rewriteRule "(.*\()?secret=[^\)]*(\).*)?" "$1secret=*$2"

This turns any search filter against the secret attribute into * in order to thwart brute force attempt. Used with a search level ACL, this will cause the server will only reveal if the attribute is present or not.

I gave it a try and it seems to work. Any comment?

An improvement would be to exempt some users (a group) from this rule. Any idea how I can do that?