1 files changed, 8 insertions, 2 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9056a41cae..19271326aa 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -982,7 +982,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 	struct security_descriptor *sd;
 	struct dom_sid *sid = NULL;
 	struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
-	bool userPassword = dsdb_user_password_support(module, req, req);
+	bool userPassword;
 	TALLOC_CTX *tmp_ctx = talloc_new(req);
 	static const char *acl_attrs[] = {
 		"nTSecurityDescriptor",
@@ -1017,6 +1017,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 		goto fail;
 	}
 
+	userPassword = dsdb_user_password_support(module, req, req);
+
 	schema = dsdb_get_schema(ldb, tmp_ctx);
 	if (!schema) {
 		talloc_free(tmp_ctx);
@@ -1661,7 +1663,7 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
 	ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
 	ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
 	ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
-	ac->userPassword = dsdb_user_password_support(module, ac, req);
+	ac->userPassword = true;
 	ac->schema = dsdb_get_schema(ldb, ac);
 
 	ac->constructed_attrs |= ac->allowedAttributes;
@@ -1681,6 +1683,10 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
+	if (!ac->am_system) {
+		ac->userPassword = dsdb_user_password_support(module, ac, req);
+	}
+
 	ret = acl_search_update_confidential_attrs(ac, data);
 	if (ret != LDB_SUCCESS) {
 		return ret;