s4:dsdb/extended_dn_out: hide backlinks with DSDB_RMD_FLAG_HIDDEN_BL by default

Backlinks which are not allowed by the schema are hidden by default,
so we already set DSDB_RMD_FLAG_HIDDEN_BL on store, so we have a cheap
way to hide the backlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 23 08:19:20 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/invisible_backlink b/selftest/knownfail.d/invisible_backlink
deleted file mode 100644 (file)
index 36ec6f3..0000000
--- a/selftest/knownfail.d/invisible_backlink
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.linked_attributes.python.*.LATests.test_la_invisible_backlink

diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
index 300c926992bd36f70345be17e31c39abbd8ac0c8..a8b4437354c63d7d08433e7d5e532483f2603a97 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
@@ -303,6 +303,7 @@ static int extended_callback(struct ldb_request *req, struct ldb_reply *ares)
         * interpret the list with) */
        for (i = 0; ac->schema && i < msg->num_elements; i++) {
                bool make_extended_dn;
+               bool bl_requested = true;
                const struct dsdb_attribute *attribute;
 
                attribute = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name);
@@ -338,6 +339,20 @@ static int extended_callback(struct ldb_request *req, struct ldb_reply *ares)
                        make_extended_dn = (strcmp(attribute->syntax->ldap_oid, DSDB_SYNTAX_OR_NAME) != 0);
                }
 
+               if (attribute->linkID & 1 &&
+                   attribute->bl_maybe_invisible &&
+                   !have_reveal_control)
+               {
+                       const char * const *attrs = ac->req->op.search.attrs;
+
+                       if (attrs != NULL) {
+                               bl_requested = is_attr_in_list(attrs,
+                                               attribute->lDAPDisplayName);
+                       } else {
+                               bl_requested = false;
+                       }
+               }
+
                for (k = 0, j = 0; j < msg->elements[i].num_values; j++) {
                        const char *dn_str;
                        struct ldb_dn *dn;
@@ -356,7 +371,15 @@ static int extended_callback(struct ldb_request *req, struct ldb_reply *ares)
                                /* we won't keep this one, so not incrementing k */
                                continue;
                        }
-
+                       if (rmd_flags & DSDB_RMD_FLAG_HIDDEN_BL && !bl_requested) {
+                               /*
+                                * Hidden backlinks are not revealed unless
+                                * requested.
+                                *
+                                * we won't keep this one, so not incrementing k
+                                */
+                               continue;
+                       }
 
                        dsdb_dn = dsdb_dn_parse_trusted(msg, ldb, plain_dn, attribute->syntax->ldap_oid);