dsdb: Only re-query dSHeuristics for userPassword support on modifies

We keep the database startup value for search behaviour, as to re-check
is too expensive.  It caused every search to have an additional
search to the database.

We do not need to check as_system when setting ac->userPassword
as this is checked when all password attributes are stripped

As userPassword is not written to after fUserPwdSupport is set
we do not expose any data that was not already visible.

The database overhead was an oversight when this was
originally added with 7f171a9e0f9b5945bd16a1330ba0908090659030
in 2010.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11853

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

1 files changed, 6 insertions, 2 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 62e560f9b13..2aafc6ca1f6 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -55,6 +55,7 @@ struct acl_private {
 	uint64_t cached_schema_metadata_usn;
 	uint64_t cached_schema_loaded_usn;
 	const char **confidential_attrs;
+	bool userPassword_support;
 };
 
 struct acl_context {
@@ -107,6 +108,8 @@ static int acl_module_init(struct ldb_module *module)
 					NULL, "acl", "search", true);
 	ldb_module_set_private(module, data);
 
+	data->userPassword_support = dsdb_user_password_support(module, module, NULL);
+	
 	mem_ctx = talloc_new(module);
 	if (!mem_ctx) {
 		return ldb_oom(ldb);
@@ -1851,8 +1854,9 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
-	if (!ac->am_system) {
-		ac->userPassword = dsdb_user_password_support(module, ac, req);
+	data = talloc_get_type(ldb_module_get_private(ac->module), struct acl_private);
+	if (data != NULL) {
+		ac->userPassword = data->userPassword_support;
 	}
 
 	ret = acl_search_update_confidential_attrs(ac, data);