s4-ldap: Added a control to apply the access checks on read via LDAP

3 files changed, 6 insertions, 0 deletions

diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
index a3d8f7952d2..4a9edbae101 100644
--- a/source4/dsdb/samdb/samdb.h
+++ b/source4/dsdb/samdb/samdb.h
@@ -192,4 +192,7 @@ struct dsdb_fsmo_extended_op {
 	struct GUID destination_dsa_guid;
 };
 
+/* applied access checks on LDAP reads */
+#define DSDB_CONTROL_SEARCH_APPLY_ACCESS "1.3.6.1.4.1.7165.4.3.15"
+
 #endif /* __SAMDB_H__ */
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 6faaa30c2f1..6a518e48a31 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -579,6 +579,7 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
 		}
 	}
 
+	ldb_request_add_control(lreq, DSDB_CONTROL_SEARCH_APPLY_ACCESS, false, NULL);
 	ldb_set_timeout(samdb, lreq, req->timelimit);
 
 	ldb_ret = ldb_request(samdb, lreq);
diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c
index 5244975dfc3..b8becb89554 100644
--- a/source4/libcli/ldap/ldap_controls.c
+++ b/source4/libcli/ldap/ldap_controls.c
@@ -1166,6 +1166,8 @@ static const struct ldap_control_handler ldap_known_controls[] = {
 	{ "1.3.6.1.4.1.7165.4.3.7", NULL, NULL },
 /* DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID is internal only, and has no network representation */
 	{ "1.3.6.1.4.1.7165.4.3.8", NULL, NULL },
+/* DSDB_CONTROL_SEARCH_APPLY_ACCESS is internal only, and has no network representation */
+	{ "1.3.6.1.4.1.7165.4.3.15", NULL, NULL },
 /* DSDB_EXTENDED_REPLICATED_OBJECTS_OID is internal only, and has no network representation */
 	{ "1.3.6.1.4.1.7165.4.4.1", NULL, NULL },
 	{ DSDB_OPENLDAP_DEREFERENCE_CONTROL, decode_openldap_dereference, encode_openldap_dereference},