diff options
| author | Stefan Metzmacher <metze@samba.org> | 2020-10-12 17:59:34 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2020-10-27 08:22:01 +0000 |
| commit | 160a2d6a5f9e3c1b57cef26937a2de5ecb9877a4 (patch) | |
| tree | cb224ddaa658e34b09b1545b89d4973126d5187f /source4 | |
| parent | ee5b2e3be9063f787c7302100ce04fba4f5fe3f5 (diff) | |
| download | samba-160a2d6a5f9e3c1b57cef26937a2de5ecb9877a4.tar.gz | |
s4:dsdb:acl_read: defer LDB_ERR_NO_SUCH_OBJECT
We may need to return child objects even if the base dn
is invisible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e1529bedb2b6c8553e69a42537ac0cffd03af6d6)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index e9b3694c63c..d3cd5d5e1bd 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -50,6 +50,9 @@ struct aclread_context { bool added_objectClass; bool indirsync; + bool base_invisible; + uint64_t num_entries; + /* cache on the last parent we checked in this search */ struct ldb_dn *last_parent_dn; int last_parent_check_ret; @@ -711,10 +714,21 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) } talloc_free(tmp_ctx); + ac->num_entries++; return ldb_module_send_entry(ac->req, ret_msg, ares->controls); case LDB_REPLY_REFERRAL: return ldb_module_send_referral(ac->req, ares->referral); case LDB_REPLY_DONE: + if (ac->base_invisible && ac->num_entries == 0) { + /* + * If the base is invisible and we didn't + * returned any object, we need to return + * NO_SUCH_OBJECT. + */ + return ldb_module_done(ac->req, + NULL, NULL, + LDB_ERR_NO_SUCH_OBJECT); + } return ldb_module_done(ac->req, ares->controls, ares->response, LDB_SUCCESS); @@ -849,7 +863,15 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) } ret = aclread_check_object_visible(ac, res->msgs[0], req); if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { - return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT); + if (req->op.search.scope == LDB_SCOPE_BASE) { + return ldb_module_done(req, NULL, NULL, + LDB_ERR_NO_SUCH_OBJECT); + } + /* + * Defer LDB_ERR_NO_SUCH_OBJECT, + * we may return sub objects + */ + ac->base_invisible = true; } else if (ret != LDB_SUCCESS) { return ldb_module_done(req, NULL, NULL, ret); } |