summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-11-21 12:12:41 +0100
committerMichael Adam <obnox@samba.org>2012-11-30 17:17:20 +0100
commit95b480fd98d9647c679672abac49c9f4ca5b3219 (patch)
tree7fb54d918d7dcbeab89146018d8f3b4dbbf0417d
parent3d57f17db94ddb5d5d8021158548ea7aebe16cd1 (diff)
downloadsamba-95b480fd98d9647c679672abac49c9f4ca5b3219.tar.gz
samba-95b480fd98d9647c679672abac49c9f4ca5b3219.tar.bz2
samba-95b480fd98d9647c679672abac49c9f4ca5b3219.zip
s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set
In that case the acl_read module does the protection. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9a7b01b265..ca99c91d1e 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -49,6 +49,7 @@ struct extended_access_check_attribute {
};
struct acl_private {
+ bool acl_search;
const char **password_attrs;
void *cached_schema_ptr;
uint64_t cached_schema_metadata_usn;
@@ -99,6 +100,8 @@ static int acl_module_init(struct ldb_module *module)
return ldb_oom(ldb);
}
+ data->acl_search = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
+ NULL, "acl", "search", false);
ldb_module_set_private(module, data);
mem_ctx = talloc_new(module);
@@ -1393,6 +1396,14 @@ static int acl_search_update_confidential_attrs(struct acl_context *ac,
struct dsdb_attribute *a;
uint32_t n = 0;
+ if (data->acl_search) {
+ /*
+ * If acl:search is activated, the acl_read module
+ * protects confidential attributes.
+ */
+ return LDB_SUCCESS;
+ }
+
if ((ac->schema == data->cached_schema_ptr) &&
(ac->schema->loaded_usn == data->cached_schema_loaded_usn) &&
(ac->schema->metadata_usn == data->cached_schema_metadata_usn))