David Boreham wrote: >Michael Ströder wrote:
You're raising some interesting issues regarding access control. After thinking about it I'd like to see that the statement above removed from thedraft. The value of numSubordinates should not try to reflect the client's view.
The original motivation behind the statement in question was to avoid leaking information otherwise restricted by access control, via the numSubordinates attribute.
But this can't be achieved without raising serious implementation issues.
It may be appropriate to add something to the effect that access to the numSubordinates attribute by a client may compromise attempts to restrict access to the subordinate tree.
Ciao, Michael.
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext