diff options
Diffstat (limited to 'source4/dsdb')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 9955451e77..dcabd56a78 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -48,6 +48,7 @@ struct aclread_context { bool added_nTSecurityDescriptor; bool added_instanceType; bool added_objectSid; + bool added_objectClass; bool indirsync; }; @@ -123,10 +124,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) goto fail; } } + /* for every element in the message check RP */ for (i=0; i < msg->num_elements; i++) { const struct dsdb_attribute *attr; - bool is_sd, is_objectsid, is_instancetype; + bool is_sd, is_objectsid, is_instancetype, is_objectclass; uint32_t access_mask; attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name); @@ -144,6 +146,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) msg->elements[i].name) == 0; is_instancetype = ldb_attr_cmp("instanceType", msg->elements[i].name) == 0; + is_objectclass = ldb_attr_cmp("objectClass", + msg->elements[i].name) == 0; /* these attributes were added to perform access checks and must be removed */ if (is_objectsid && ac->added_objectSid) { aclread_mark_inaccesslible(&msg->elements[i]); @@ -153,6 +157,10 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) aclread_mark_inaccesslible(&msg->elements[i]); continue; } + if (is_objectclass && ac->added_objectClass) { + aclread_mark_inaccesslible(&msg->elements[i]); + continue; + } if (is_sd && ac->added_nTSecurityDescriptor) { aclread_mark_inaccesslible(&msg->elements[i]); continue; @@ -409,6 +417,13 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) } ac->added_objectSid = true; } + if (!ldb_attr_in_list(req->op.search.attrs, "objectClass")) { + attrs = ldb_attr_list_copy_add(ac, attrs, "objectClass"); + if (attrs == NULL) { + return ldb_oom(ldb); + } + ac->added_objectClass = true; + } } if (need_sd) { |