From 6bc2caed8b3f153f92af013275f39c803f886a22 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 6 Dec 2012 15:56:26 +0100
Subject: s4:dsdb/operational: fix stripping of the nTSecurityDescriptor
 attribute

If the sd_flags control is specified, we should return nTSecurityDescriptor
only if the client asked for all attributes.

If there's a list of only explicit attribute names, we should ignore
the sd_flags control.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source4/dsdb/samdb/ldb_modules/operational.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'source4/dsdb')

diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 4ce8b8fdda..c642ad8c92 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -721,10 +721,20 @@ static int operational_search_post_process(struct ldb_module *module,
 				continue;
 			}
 		case OPERATIONAL_SD_FLAGS:
-			if (controls_flags->sd ||
-			    ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
+			if (ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
 				continue;
 			}
+			if (controls_flags->sd) {
+				if (attrs_from_user == NULL) {
+					continue;
+				}
+				if (attrs_from_user[0] == NULL) {
+					continue;
+				}
+				if (ldb_attr_in_list(attrs_from_user, "*")) {
+					continue;
+				}
+			}
 			ldb_msg_remove_attr(msg, operational_remove[i].attr);
 			break;
 		}
-- 
cgit