dsdb-acl: Do not apply ACL on special DNs to hide attributes that the user shouldn...

This fix frequent reindexing when using python script with a
user that is not system.
The reindexing is caused by ACL module hidding (removing) attributes in
the search request for all attributes in dn=@ATTRIBUTES and because
dsdb_schema_set_indices_and_attributes checks that the list of
attributes that it just calculated from the schema is the same as the
list written in @ATTRIBUTES, if not the list is replaced and a
reindexing is triggered.

Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index e5597710e822db8b8c587c787435515036273ff4..250456876490b9253f4c967805500efb6baf66a8 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1644,6 +1644,10 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
        int ret;
        unsigned int i;
 
+       if (ldb_dn_is_special(req->op.search.base)) {
+               return ldb_next_request(module, req);
+       }
+
        ldb = ldb_module_get_ctx(module);
 
        ac = talloc_zero(req, struct acl_context);