s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes

The @KLUDGEACL record might not be uptodate.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 853fa20902e0cfd3f3ada6db091d9927b3802ae2..ba61a3f2683811a68c600ad3c547e5eb6bf4ed86 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -79,9 +79,12 @@ static int acl_module_init(struct ldb_module *module)
        struct ldb_context *ldb;
        struct acl_private *data;
        int ret;
-       unsigned int i;
+       unsigned int i, n, j;
        TALLOC_CTX *mem_ctx;
-       static const char *attrs[] = { "passwordAttribute", NULL };
+       static const char * const attrs[] = { "passwordAttribute", NULL };
+       static const char * const secret_attrs[] = {
+               DSDB_SECRET_ATTRIBUTES
+       };
        struct ldb_result *res;
        struct ldb_message *msg;
        struct ldb_message_element *password_attributes;
@@ -133,16 +136,44 @@ static int acl_module_init(struct ldb_module *module)
        if (!password_attributes) {
                goto done;
        }
-       data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
+       data->password_attrs = talloc_array(data, const char *,
+                       password_attributes->num_values +
+                       ARRAY_SIZE(secret_attrs) + 1);
        if (!data->password_attrs) {
                talloc_free(mem_ctx);
                return ldb_oom(ldb);
        }
+
+       n = 0;
        for (i=0; i < password_attributes->num_values; i++) {
-               data->password_attrs[i] = (const char *)password_attributes->values[i].data;
+               data->password_attrs[n] = (const char *)password_attributes->values[i].data;
                talloc_steal(data->password_attrs, password_attributes->values[i].data);
+               n++;
+       }
+
+       for (i=0; i < ARRAY_SIZE(secret_attrs); i++) {
+               bool found = false;
+
+               for (j=0; j < n; j++) {
+                       if (strcasecmp(data->password_attrs[j], secret_attrs[i]) == 0) {
+                               found = true;
+                               break;
+                       }
+               }
+
+               if (found) {
+                       continue;
+               }
+
+               data->password_attrs[n] = talloc_strdup(data->password_attrs,
+                                                       secret_attrs[i]);
+               if (data->password_attrs[n] == NULL) {
+                       talloc_free(mem_ctx);
+                       return ldb_oom(ldb);
+               }
+               n++;
        }
-       data->password_attrs[i] = NULL;
+       data->password_attrs[n] = NULL;
 
 done:
        talloc_free(mem_ctx);