From 95b480fd98d9647c679672abac49c9f4ca5b3219 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 21 Nov 2012 12:12:41 +0100
Subject: s4:dsdb/acl: don't protect confidential attributes when "acl:search =
 yes" is set

In that case the acl_read module does the protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source4/dsdb/samdb/ldb_modules/acl.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9a7b01b265..ca99c91d1e 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -49,6 +49,7 @@ struct extended_access_check_attribute {
 };
 
 struct acl_private {
+	bool acl_search;
 	const char **password_attrs;
 	void *cached_schema_ptr;
 	uint64_t cached_schema_metadata_usn;
@@ -99,6 +100,8 @@ static int acl_module_init(struct ldb_module *module)
 		return ldb_oom(ldb);
 	}
 
+	data->acl_search = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
+					NULL, "acl", "search", false);
 	ldb_module_set_private(module, data);
 
 	mem_ctx = talloc_new(module);
@@ -1393,6 +1396,14 @@ static int acl_search_update_confidential_attrs(struct acl_context *ac,
 	struct dsdb_attribute *a;
 	uint32_t n = 0;
 
+	if (data->acl_search) {
+		/*
+		 * If acl:search is activated, the acl_read module
+		 * protects confidential attributes.
+		 */
+		return LDB_SUCCESS;
+	}
+
 	if ((ac->schema == data->cached_schema_ptr) &&
 	    (ac->schema->loaded_usn == data->cached_schema_loaded_usn) &&
 	    (ac->schema->metadata_usn == data->cached_schema_metadata_usn))
-- 
cgit