>From 6edfde6ffd22471fc0b82f45793b96b6027c001a Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Sun, 30 Dec 2012 02:27:25 -0800 Subject: [PATCH] acl: Do not apply ACL on special DNs to hide attributes that the user shouldn't see This fix frequent reindexing when using python script with a user that is not system. The reindexing is caused by ACL module hidding (removing) attributes in the search request for all attributes in dn=@ATTRIBUTES and because dsdb_schema_set_indices_and_attributes checks that the list of attributes that it just calculated from the schema is the same as the list written in @ATTRIBUTES, if not the list is replaced and a reindexing is triggered. --- source4/dsdb/samdb/ldb_modules/acl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 2de16b7..83e9c58 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -1643,6 +1643,9 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) int ret; unsigned int i; + if (ldb_dn_is_special(req->op.search.base)) { + return ldb_next_request(module, req); + } ldb = ldb_module_get_ctx(module); ac = talloc_zero(req, struct acl_context); @@ -1671,6 +1674,8 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) ac->constructed_attrs |= ac->allowedAttributesEffective; ac->constructed_attrs |= ac->sDRightsEffective; + + if (data == NULL) { ac->modify_search = false; } -- 1.7.9.5