s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set

In that case the acl_read module does the protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9a7b01b265889caf97b5421f2ef83d8d41265220..ca99c91d1eb4c1ed5aff4900b0802c5d21b6d78e 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -49,6 +49,7 @@ struct extended_access_check_attribute {
 };
 
 struct acl_private {
+       bool acl_search;
        const char **password_attrs;
        void *cached_schema_ptr;
        uint64_t cached_schema_metadata_usn;
@@ -99,6 +100,8 @@ static int acl_module_init(struct ldb_module *module)
                return ldb_oom(ldb);
        }
 
+       data->acl_search = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
+                                       NULL, "acl", "search", false);
        ldb_module_set_private(module, data);
 
        mem_ctx = talloc_new(module);
@@ -1393,6 +1396,14 @@ static int acl_search_update_confidential_attrs(struct acl_context *ac,
        struct dsdb_attribute *a;
        uint32_t n = 0;
 
+       if (data->acl_search) {
+               /*
+                * If acl:search is activated, the acl_read module
+                * protects confidential attributes.
+                */
+               return LDB_SUCCESS;
+       }
+
        if ((ac->schema == data->cached_schema_ptr) &&
            (ac->schema->loaded_usn == data->cached_schema_loaded_usn) &&
            (ac->schema->metadata_usn == data->cached_schema_metadata_usn))