diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs
index b53c9925cde..3e2c9262d96 100644
--- a/lib/ldb/ABI/ldb-2.8.0.sigs
+++ b/lib/ldb/ABI/ldb-2.8.0.sigs
@@ -174,6 +174,8 @@ ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, cons
 ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *)
 ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *)
 ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *)
+ldb_msg_element_is_inaccessible: bool (const struct ldb_message_element *)
+ldb_msg_element_mark_inaccessible: void (struct ldb_message_element *)
 ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int)
 ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *)
 ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double)
@@ -191,6 +193,7 @@ ldb_msg_new: struct ldb_message *(TALLOC_CTX *)
 ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **)
 ldb_msg_remove_attr: void (struct ldb_message *, const char *)
 ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *)
+ldb_msg_remove_inaccessible: void (struct ldb_message *)
 ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *)
 ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *)
 ldb_msg_sort_elements: void (struct ldb_message *)
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index c3db513425e..3f4f5ac90f1 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -795,6 +795,32 @@ int ldb_msg_element_compare_name(struct ldb_message_element *el1,
 	return ldb_attr_cmp(el1->name, el2->name);
 }
 
+void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el)
+{
+	el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+}
+
+bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el)
+{
+	return (el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE) != 0;
+}
+
+void ldb_msg_remove_inaccessible(struct ldb_message *msg)
+{
+	unsigned i;
+	unsigned num_del = 0;
+
+	for (i = 0; i < msg->num_elements; ++i) {
+		if (ldb_msg_element_is_inaccessible(&msg->elements[i])) {
+			++num_del;
+		} else if (num_del) {
+			msg->elements[i - num_del] = msg->elements[i];
+		}
+	}
+
+	msg->num_elements -= num_del;
+}
+
 /*
   convenience functions to return common types from a message
   these return the first value if the attribute is multi-valued
diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h
index 7de4924f309..8449294744d 100644
--- a/lib/ldb/include/ldb_module.h
+++ b/lib/ldb/include/ldb_module.h
@@ -513,6 +513,10 @@ struct ldb_extended_match_rule
 int ldb_register_extended_match_rule(struct ldb_context *ldb,
 				     const struct ldb_extended_match_rule *rule);
 
+void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el);
+bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el);
+void ldb_msg_remove_inaccessible(struct ldb_message *msg);
+
 /*
  * these pack/unpack functions are exposed in the library for use by
  * ldb tools like ldbdump and for use in tests,