Don't expose passwords, even to the administrator.

This ensures they don't leak over LDAP, but does not prevent access,
as ldbsearch locally still bypasses these controls.

Andrew Bartlett
(This used to be commit fa3f3bab33001770a9d7e33875bf212636f6c128)

1 files changed, 14 insertions, 1 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index 2c01594722..bc998a835a 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -238,7 +238,6 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
 	{
 		switch (ac->user_type) {
 		case SECURITY_SYSTEM:
-		case SECURITY_ADMINISTRATOR:
 			if (ac->allowedAttributesEffective) {
 				ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
 				if (ret != LDB_SUCCESS) {
@@ -252,6 +251,20 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
 				}
 			}
 			break;
+		case SECURITY_ADMINISTRATOR:
+			if (ac->allowedAttributesEffective) {
+				ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
+				if (ret != LDB_SUCCESS) {
+					return ret;
+				}
+			}
+			if (ac->allowedChildClassesEffective) {
+				ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
+				if (ret != LDB_SUCCESS) {
+					return ret;
+				}
+			}
+			/* fall though */
 		default:
 			/* remove password attributes */
 			for (i = 0; data->password_attrs[i]; i++) {