From 85e8c863025db3dd6b895b42c7bf53c5b339b48a Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat@matws.net>
Date: Thu, 14 Apr 2011 23:03:50 +0400
Subject: [PATCH] s4-dsdb: Add more information on why we don't check the SD
 control

Signed-off-by: Nadezhda Ivanova <nivanova@samba.org>

Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Fri Apr 15 16:16:27 CEST 2011 on sn-devel-104
---
 source4/dsdb/samdb/ldb_modules/acl_read.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 359b39f09b9..181619ab287 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -287,6 +287,11 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 	if (!ac->schema) {
 		return ldb_operr(ldb);
 	}
+	/*
+	 * In theory we should also check for the SD control but control verification is
+	 * expensive so we'd better had the ntsecuritydescriptor to the list of
+	 * searched attribute and then remove it !
+	 */
 	ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
 	if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
 		if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
-- 
2.11.4.GIT