diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 11 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.h | 3 | ||||
-rw-r--r-- | source4/ldap_server/ldap_backend.c | 1 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_controls.c | 2 |
4 files changed, 5 insertions, 12 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 3b8e60c8fd..78a9e28396 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -195,25 +195,24 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) struct aclread_context *ac; struct ldb_request *down_req; struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - struct ldb_control *apply_access = ldb_request_get_control(req, DSDB_CONTROL_SEARCH_APPLY_ACCESS); struct auth_session_info *session_info; struct ldb_result *res; struct ldb_message_element *parent; struct aclread_private *p; + bool is_untrusted = ldb_req_is_untrusted(req); static const char *acl_attrs[] = { "parentGUID", NULL - }; + }; + ldb = ldb_module_get_ctx(module); p = talloc_get_type(ldb_module_get_private(module), struct aclread_private); - if (apply_access != NULL) { - apply_access->critical = 0; - } + /* skip access checks if we are system or system control is supplied * or this is not LDAP server request */ if (!p || !p->enabled || dsdb_module_am_system(module) - || as_system || !apply_access) { + || as_system || !is_untrusted) { return ldb_next_request(module, req); } /* no checks on special dn */ diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 4a9edbae10..a3d8f7952d 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -192,7 +192,4 @@ struct dsdb_fsmo_extended_op { struct GUID destination_dsa_guid; }; -/* applied access checks on LDAP reads */ -#define DSDB_CONTROL_SEARCH_APPLY_ACCESS "1.3.6.1.4.1.7165.4.3.15" - #endif /* __SAMDB_H__ */ diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 671e94adce..e45c180e31 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -594,7 +594,6 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call) } } - ldb_request_add_control(lreq, DSDB_CONTROL_SEARCH_APPLY_ACCESS, false, NULL); ldb_set_timeout(samdb, lreq, req->timelimit); ldb_req_mark_untrusted(lreq); diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c index 592635d59c..6ded87a0ba 100644 --- a/source4/libcli/ldap/ldap_controls.c +++ b/source4/libcli/ldap/ldap_controls.c @@ -1185,8 +1185,6 @@ static const struct ldap_control_handler ldap_known_controls[] = { { LDB_CONTROL_BYPASS_OPERATIONAL_OID, NULL, NULL }, /* DSDB_CONTROL_CHANGEREPLMETADATA_OID is internal only, and has no network representation */ { DSDB_CONTROL_CHANGEREPLMETADATA_OID, NULL, NULL }, -/* DSDB_CONTROL_SEARCH_APPLY_ACCESS is internal only, and has no network representation */ - { DSDB_CONTROL_SEARCH_APPLY_ACCESS, NULL, NULL }, /* LDB_CONTROL_PROVISION_OID is internal only, and has no network representation */ { LDB_CONTROL_PROVISION_OID, NULL, NULL }, /* DSDB_EXTENDED_REPLICATED_OBJECTS_OID is internal only, and has no network representation */ |