r20921: - only give password attributes to the SYSTEM account

- but SYSTEM and administrators can change them

metze

diff --git a/source/dsdb/samdb/ldb_modules/kludge_acl.c b/source/dsdb/samdb/ldb_modules/kludge_acl.c
index 8876db0482cf2e739374386a1c5d6893b66ef142..e2a11cf87d11380b3c6be80302d27100d518a0f6 100644 (file)
--- a/source/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -126,7 +126,6 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
        {
                switch (ac->user_type) {
                case SYSTEM:
-               case ADMINISTRATOR:
                        break;
                default:
                        /* remove password attributes */
@@ -183,7 +182,6 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
           just as we would not allow that attribute to be returned */
        switch (ac->user_type) {
        case SYSTEM:
-       case ADMINISTRATOR:
                break;
        default:
                /* remove password attributes */