CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison

LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(el->flags & LDB_FLAG_MOD_MASK) == 0

which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest/knownfail.d/acl-spn-delete

@@ -1 +0,0 @@
-^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\(

source4/dsdb/samdb/ldb_modules/acl.c

@@ -734,8 +734,9 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
 		 * If not add or replace (eg delete),
 		 * return success
 		 */
-		if ((el->flags
-		     & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)) == 0) {
+		if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD &&
+		    LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE)
+		{
 			talloc_free(tmp_ctx);
 			return LDB_SUCCESS;
 		}