From a1b421e8cca24a5831f4c6d77714cf54faf8c48e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 2 Jan 2013 15:01:00 +1100
Subject: [PATCH] dsdb-acl: ask for the objectClass attribute if it's not in
 the scope of the clients search

This will be used later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/samdb/ldb_modules/acl_read.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 9955451e7787..dcabd56a784d 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -48,6 +48,7 @@ struct aclread_context {
 	bool added_nTSecurityDescriptor;
 	bool added_instanceType;
 	bool added_objectSid;
+	bool added_objectClass;
 	bool indirsync;
 };
 
@@ -123,10 +124,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 				goto fail;
 			}
 		}
+
 		/* for every element in the message check RP */
 		for (i=0; i < msg->num_elements; i++) {
 			const struct dsdb_attribute *attr;
-			bool is_sd, is_objectsid, is_instancetype;
+			bool is_sd, is_objectsid, is_instancetype, is_objectclass;
 			uint32_t access_mask;
 			attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
 								 msg->elements[i].name);
@@ -144,6 +146,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 						    msg->elements[i].name) == 0;
 			is_instancetype = ldb_attr_cmp("instanceType",
 						       msg->elements[i].name) == 0;
+			is_objectclass = ldb_attr_cmp("objectClass",
+						      msg->elements[i].name) == 0;
 			/* these attributes were added to perform access checks and must be removed */
 			if (is_objectsid && ac->added_objectSid) {
 				aclread_mark_inaccesslible(&msg->elements[i]);
@@ -153,6 +157,10 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 				aclread_mark_inaccesslible(&msg->elements[i]);
 				continue;
 			}
+			if (is_objectclass && ac->added_objectClass) {
+				aclread_mark_inaccesslible(&msg->elements[i]);
+				continue;
+			}
 			if (is_sd && ac->added_nTSecurityDescriptor) {
 				aclread_mark_inaccesslible(&msg->elements[i]);
 				continue;
@@ -409,6 +417,13 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 			}
 			ac->added_objectSid = true;
 		}
+		if (!ldb_attr_in_list(req->op.search.attrs, "objectClass")) {
+			attrs = ldb_attr_list_copy_add(ac, attrs, "objectClass");
+			if (attrs == NULL) {
+				return ldb_oom(ldb);
+			}
+			ac->added_objectClass = true;
+		}
 	}
 
 	if (need_sd) {
-- 
2.34.1