dsdb-acl: the SEC_ADS_DELETE_CHILD checks need objectclass->schemaIDGUID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 41c257b999dcd1d2cecbdf473ed67db117c2df89..75b871f0d24bb25b290cd41db83469f0ed8278dc 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1267,7 +1267,9 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
        /* Nope, we don't have delete object. Lets check if we have delete
         * child on the parent */
        ret = dsdb_module_check_access_on_dn(module, req, parent,
-                                            SEC_ADS_DELETE_CHILD, NULL, req);
+                                            SEC_ADS_DELETE_CHILD,
+                                            &objectclass->schemaIDGUID,
+                                            req);
        if (ret != LDB_SUCCESS) {
                return ret;
        }
@@ -1462,7 +1464,10 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
                return ldb_next_request(module, req);
        }
        /* what about delete child on the current parent */
-       ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL, req);
+       ret = dsdb_module_check_access_on_dn(module, req, oldparent,
+                                            SEC_ADS_DELETE_CHILD,
+                                            &objectclass->schemaIDGUID,
+                                            req);
        if (ret != LDB_SUCCESS) {
                ldb_asprintf_errstring(ldb_module_get_ctx(module),
                                       "acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn));