r12746: An initial version of the kludge_acls module.

This should be replaced with real ACLs, which tridge is working on.
In the meantime, the rules are very simple:

- SYSTEM and Administrators can read all.

- Users and anonymous cannot read passwords, can read everything else

- list of 'password' attributes is hard-coded

Most of the difficult work in this was fighting with the C/js
interface to add a system_session() all, as it still doesn't get on
with me :-)

Andrew Bartlett
(This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)

2 files changed, 7 insertions, 4 deletions

diff --git a/source4/lib/ldb/common/ldb_modules.c b/source4/lib/ldb/common/ldb_modules.c
index 715112a628..f83f0b06ef 100644
--- a/source4/lib/ldb/common/ldb_modules.c
+++ b/source4/lib/ldb/common/ldb_modules.c
@@ -141,6 +141,7 @@ int ldb_load_modules(struct ldb_context *ldb, const char *options[])
 		{ "rootdse", rootdse_module_init },
 		{ "extended_dn", extended_dn_module_init },
 		{ "password_hash", password_hash_module_init },
+		{ "kludge_acl", kludge_acl_module_init },
 #endif
 		{ NULL, NULL }
 	};
diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c
index 269599818c..deb32133c1 100644
--- a/source4/lib/ldb/common/ldb_msg.c
+++ b/source4/lib/ldb/common/ldb_msg.c
@@ -623,11 +623,13 @@ int ldb_msg_copy_attr(struct ldb_message *msg, const char *attr, const char *rep
 void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr)
 {
 	struct ldb_message_element *el = ldb_msg_find_element(msg, attr);
-	int n = (el - msg->elements);
-	if (n != msg->num_elements-1) {
-		memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el));
+	if (el) {
+		int n = (el - msg->elements);
+		if (n != msg->num_elements-1) {
+			memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el));
+		}
+		msg->num_elements--;
 	}
-	msg->num_elements--;
 }
 
 /*