On 11. aug. 2016 14:36, Michael Ströder wrote:
On 2016-08-11 14:13, Emmanuel Dreyfus wrote:
I would like to test if an attribute is set without disclosing it. Using an ACL that grants the search right does it: I can do ldapsearch -b dn attr=*' dn and see if I get a result.
Problem: it is still possible to brute force the atribute value, by searching x* with x being the first lette,r, then xy* and so on.
(...)
I don't see how to avoid that. There is a DISCLOSE access level, but that's for what to disclose in error situations. I think I'd maintain a separate attribute which is TRUE if the original attribute exists.
And same issue if attribute type declaration in the schema allows ORDERING searches...
Good point, and extended filters can do that without ORDERING in the attrtype definition.
$ ldapsearch -LLLxh ldap.uio.no -b dc=uio,dc=no -s base \ '(labeledURI:CaseIgnoreOrderingMatch:=N)' labeledURI dn: dc=uio,dc=no labeledURI: http://www.uio.no/