summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--source4/dsdb/samdb/ldb_modules/subtree_delete.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/subtree_delete.c b/source4/dsdb/samdb/ldb_modules/subtree_delete.c
index ce1b8922f3..f041b7e66e 100644
--- a/source4/dsdb/samdb/ldb_modules/subtree_delete.c
+++ b/source4/dsdb/samdb/ldb_modules/subtree_delete.c
@@ -79,9 +79,17 @@ static int subtree_delete(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_NOT_ALLOWED_ON_NON_LEAF;
}
- /* we need to start from the top since other LDB modules could
- * enforce constraints (eg "objectclass" and "samldb" do so). */
- flags = DSDB_FLAG_TOP_MODULE | DSDB_TREE_DELETE;
+ /*
+ * we need to start from the top since other LDB modules could
+ * enforce constraints (eg "objectclass" and "samldb" do so).
+ *
+ * We pass DSDB_FLAG_AS_SYSTEM as the acl module above us
+ * has already checked for SEC_ADS_DELETE_TREE.
+ */
+ flags = DSDB_FLAG_TOP_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_FLAG_TRUSTED |
+ DSDB_TREE_DELETE;
if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) != NULL) {
flags |= DSDB_MODIFY_RELAX;
}
generated by cgit (git 2.34.1) at 2024-06-29 08:57:35 +0000