Read ACL for Directory object is not enabled by default, currently the read is just denied to non authenticated user. Supporting real ACL is needed for production use. The code for the read ACL is here but desactivated due to performance concerns.
Actually its not just performance, it causes some failures in make test. I fixed them by using a flag that is only set if the request comes from ldap, but then the flag was changed to mean something else and it messed things up again. The code itself is finished in terms of implementation, but these issues need to be resolved.
There is no way this is going to be changed for a 4.0 release. Unblocking.
We need at least protect attributes with searchFlags: fCONFIDENTIAL for 4.0
We used to have some code for this but it's off by default, so maybe we should put it back to on and see what is breaking ?
Created attachment 8182 [details] Patches cherry-picked from master for confidential attribute support
Comment on attachment 8182 [details] Patches cherry-picked from master for confidential attribute support Looks good
Karolin, please pick this to v4-0-test and remove it as blocker for bug #8622 and reassigned it to me for the full fix.
(In reply to comment #7) > Karolin, please pick this to v4-0-test and remove it as blocker for bug #8622 > and reassigned it to me for the full fix. Pushed to autobuild-v4-0-test. Removed as blocker.
Pushed to v4-0-test. Closing out bug report. Thanks!
I have some patches which allow us to turn on "acl:search=true" without slowing down make test. https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=9b17dfc1e0515deb25 For now add mark it as blocker for 4.0 until we decide whether we would like to switch this on by default. At least we should try to support it optional.
(In reply to comment #10) > I have some patches which allow us to turn on "acl:search=true" without slowing > down make test. > > https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls > https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=9b17dfc1e0515deb25 The patches still need some cleanup...
Created attachment 8256 [details] Patches for v4-0-test
Comment on attachment 8256 [details] Patches for v4-0-test ACK
==> Karolin for 4.0
Pushed to autobuild-v4-0-test.