summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl_read.c11
-rw-r--r--source4/dsdb/samdb/samdb.h3
-rw-r--r--source4/ldap_server/ldap_backend.c1
-rw-r--r--source4/libcli/ldap/ldap_controls.c2
4 files changed, 5 insertions, 12 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 3b8e60c8fd..78a9e28396 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -195,25 +195,24 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
struct aclread_context *ac;
struct ldb_request *down_req;
struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
- struct ldb_control *apply_access = ldb_request_get_control(req, DSDB_CONTROL_SEARCH_APPLY_ACCESS);
struct auth_session_info *session_info;
struct ldb_result *res;
struct ldb_message_element *parent;
struct aclread_private *p;
+ bool is_untrusted = ldb_req_is_untrusted(req);
static const char *acl_attrs[] = {
"parentGUID",
NULL
- };
+ };
+
ldb = ldb_module_get_ctx(module);
p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
- if (apply_access != NULL) {
- apply_access->critical = 0;
- }
+
/* skip access checks if we are system or system control is supplied
* or this is not LDAP server request */
if (!p || !p->enabled ||
dsdb_module_am_system(module)
- || as_system || !apply_access) {
+ || as_system || !is_untrusted) {
return ldb_next_request(module, req);
}
/* no checks on special dn */
diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
index 4a9edbae10..a3d8f7952d 100644
--- a/source4/dsdb/samdb/samdb.h
+++ b/source4/dsdb/samdb/samdb.h
@@ -192,7 +192,4 @@ struct dsdb_fsmo_extended_op {
struct GUID destination_dsa_guid;
};
-/* applied access checks on LDAP reads */
-#define DSDB_CONTROL_SEARCH_APPLY_ACCESS "1.3.6.1.4.1.7165.4.3.15"
-
#endif /* __SAMDB_H__ */
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 671e94adce..e45c180e31 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -594,7 +594,6 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
}
}
- ldb_request_add_control(lreq, DSDB_CONTROL_SEARCH_APPLY_ACCESS, false, NULL);
ldb_set_timeout(samdb, lreq, req->timelimit);
ldb_req_mark_untrusted(lreq);
diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c
index 592635d59c..6ded87a0ba 100644
--- a/source4/libcli/ldap/ldap_controls.c
+++ b/source4/libcli/ldap/ldap_controls.c
@@ -1185,8 +1185,6 @@ static const struct ldap_control_handler ldap_known_controls[] = {
{ LDB_CONTROL_BYPASS_OPERATIONAL_OID, NULL, NULL },
/* DSDB_CONTROL_CHANGEREPLMETADATA_OID is internal only, and has no network representation */
{ DSDB_CONTROL_CHANGEREPLMETADATA_OID, NULL, NULL },
-/* DSDB_CONTROL_SEARCH_APPLY_ACCESS is internal only, and has no network representation */
- { DSDB_CONTROL_SEARCH_APPLY_ACCESS, NULL, NULL },
/* LDB_CONTROL_PROVISION_OID is internal only, and has no network representation */
{ LDB_CONTROL_PROVISION_OID, NULL, NULL },
/* DSDB_EXTENDED_REPLICATED_OBJECTS_OID is internal only, and has no network representation */