s4:dsdb/acl_read: make sure confidential attributes require CONTROL_ACCESS (bug ...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 12 01:25:21 CET 2012 on sn-devel-104

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 8542163f9810482ef6b1689a27bae4522fed56f8..e2a2d4cb9ae01a2faef2dd90a3c7e3dad537d463 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -154,6 +154,10 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                                access_mask = SEC_ADS_READ_PROP;
                        }
 
+                       if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
+                               access_mask |= SEC_ADS_CONTROL_ACCESS;
+                       }
+
                        ret = acl_check_access_on_attribute(ac->module,
                                                            tmp_ctx,
                                                            sd,