The bug referenced above is now marked as FIXED, but when I browse using anonymous authentication with Apache Directory Studio, I still see all the user email addresses (and some other info). I'm coming in from the MTA-trusted network, but I doubt that should matter, should it?
Am I missing something? Exposure of valid email addresses via LDAP would seem to invite harvesting by spammers. Yet if I firewall off LDAP, this will be inconvenient for users with dynamic IP addresses (travellers & telecommuters). |