r12746: An initial version of the kludge_acls module.

This should be replaced with real ACLs, which tridge is working on.
In the meantime, the rules are very simple:

- SYSTEM and Administrators can read all.

- Users and anonymous cannot read passwords, can read everything else

- list of 'password' attributes is hard-coded

Most of the difficult work in this was fighting with the C/js
interface to add a system_session() all, as it still doesn't get on
with me :-)

Andrew Bartlett
(This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)

2 files changed, 3 insertions, 3 deletions

diff --git a/source4/setup/provision b/source4/setup/provision
index 51e62016a8..6974afeec9 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -114,10 +114,10 @@ if (!provision_validate(subobj, message)) {
 }
 
 var creds = options.get_credentials();
+var system_session = system_session();
 
 message("Provisioning for %s in realm %s\n", subobj.DOMAIN, subobj.REALM);
 message("Using administrator password: %s\n", subobj.ADMINPASS);
-message("Credentials: %s\n", creds);
-provision(subobj, message, blank, provision_default_paths(subobj), NULL, creds);
+provision(subobj, message, blank, provision_default_paths(subobj), system_session, creds);
 message("All OK\n");
 return 0;
diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif
index 6d452a17e7..db532f3078 100644
--- a/source4/setup/provision_init.ldif
+++ b/source4/setup/provision_init.ldif
@@ -69,5 +69,5 @@ isSynchronized: TRUE
 #Add modules to the list to activate them by default
 #beware often order is important
 dn: @MODULES
-@LIST: rootdse,paged_results,server_sort,extended_dn,samldb,password_hash,operational,objectguid,rdn_name,objectclass
+@LIST: rootdse,kludge_acl,paged_results,server_sort,extended_dn,samldb,password_hash,operational,objectguid,rdn_name,objectclass