]> git.sur5r.net Git - openldap/blob - servers/slapd/modrdn.c
now I remember why I introduced the 'has_ldapinfo_dn_ru' flag
[openldap] / servers / slapd / modrdn.c
1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3  *
4  * Copyright 1998-2004 The OpenLDAP Foundation.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted only as authorized by the OpenLDAP
9  * Public License.
10  *
11  * A copy of this license is available in the file LICENSE in the
12  * top-level directory of the distribution or, alternatively, at
13  * <http://www.OpenLDAP.org/license.html>.
14  */
15 /* Portions Copyright 1999, Juan C. Gomez, All rights reserved.
16  * This software is not subject to any license of Silicon Graphics 
17  * Inc. or Purdue University.
18  *
19  * Redistribution and use in source and binary forms are permitted
20  * without restriction or fee of any kind as long as this notice
21  * is preserved.
22  */
23 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
24  * All rights reserved.
25  *
26  * Redistribution and use in source and binary forms are permitted
27  * provided that this notice is preserved and that due credit is given
28  * to the University of Michigan at Ann Arbor. The name of the University
29  * may not be used to endorse or promote products derived from this
30  * software without specific prior written permission. This software
31  * is provided ``as is'' without express or implied warranty.
32  */
33
34 #include "portable.h"
35
36 #include <stdio.h>
37
38 #include <ac/socket.h>
39 #include <ac/string.h>
40
41 #include "ldap_pvt.h"
42 #include "slap.h"
43 #ifdef LDAP_SLAPI
44 #include "slapi/slapi.h"
45 #endif
46
47 int
48 do_modrdn(
49     Operation   *op,
50     SlapReply   *rs
51 )
52 {
53         struct berval dn = { 0, NULL };
54         struct berval newrdn = { 0, NULL };
55         struct berval newSuperior = { 0, NULL };
56         ber_int_t       deloldrdn;
57
58         struct berval pnewSuperior = { 0, NULL };
59
60         struct berval nnewSuperior = { 0, NULL };
61
62         Backend *newSuperior_be = NULL;
63         ber_len_t       length;
64         int manageDSAit;
65
66 #ifdef NEW_LOGGING
67         LDAP_LOG( OPERATION, ENTRY, "do_modrdn: begin\n", 0, 0, 0 );
68 #else
69         Debug( LDAP_DEBUG_TRACE, "do_modrdn\n", 0, 0, 0 );
70 #endif
71
72
73         /*
74          * Parse the modrdn request.  It looks like this:
75          *
76          *      ModifyRDNRequest := SEQUENCE {
77          *              entry   DistinguishedName,
78          *              newrdn  RelativeDistinguishedName
79          *              deleteoldrdn    BOOLEAN,
80          *              newSuperior     [0] LDAPDN OPTIONAL (v3 Only!)
81          *      }
82          */
83
84         if ( ber_scanf( op->o_ber, "{mmb", &dn, &newrdn, &deloldrdn )
85             == LBER_ERROR )
86         {
87 #ifdef NEW_LOGGING
88                 LDAP_LOG( OPERATION, ERR, "do_modrdn: ber_scanf failed\n", 0, 0, 0 );
89 #else
90                 Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
91 #endif
92
93                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
94                 return SLAPD_DISCONNECT;
95         }
96
97         /* Check for newSuperior parameter, if present scan it */
98
99         if ( ber_peek_tag( op->o_ber, &length ) == LDAP_TAG_NEWSUPERIOR ) {
100                 if ( op->o_protocol < LDAP_VERSION3 ) {
101                         /* Conection record indicates v2 but field 
102                          * newSuperior is present: report error.
103                          */
104 #ifdef NEW_LOGGING
105                         LDAP_LOG( OPERATION, ERR,
106                                 "do_modrdn: (v2) invalid field newSuperior.\n", 0, 0, 0 );
107 #else
108                         Debug( LDAP_DEBUG_ANY,
109                             "modrdn(v2): invalid field newSuperior!\n",
110                             0, 0, 0 );
111 #endif
112
113                         send_ldap_discon( op, rs,
114                                 LDAP_PROTOCOL_ERROR, "newSuperior requires LDAPv3" );
115                         rs->sr_err = SLAPD_DISCONNECT;
116                         goto cleanup;
117                 }
118
119                 if ( ber_scanf( op->o_ber, "m", &newSuperior ) 
120                      == LBER_ERROR ) {
121
122 #ifdef NEW_LOGGING
123                         LDAP_LOG( OPERATION, ERR,
124                                 "do_modrdn: ber_scanf(\"m\") failed\n", 0, 0, 0 );
125 #else
126                         Debug( LDAP_DEBUG_ANY, "ber_scanf(\"m\") failed\n",
127                                 0, 0, 0 );
128 #endif
129
130                         send_ldap_discon( op, rs,
131                                 LDAP_PROTOCOL_ERROR, "decoding error" );
132                         rs->sr_err = SLAPD_DISCONNECT;
133                         goto cleanup;
134                 }
135                 op->orr_newSup = &pnewSuperior;
136                 op->orr_nnewSup = &nnewSuperior;
137         }
138
139 #ifdef NEW_LOGGING
140         LDAP_LOG( OPERATION, ARGS, 
141                 "do_modrdn: dn (%s) newrdn (%s) newsuperior(%s)\n",
142                 dn.bv_val, newrdn.bv_val,
143                 newSuperior.bv_len ? newSuperior.bv_val : "" );
144 #else
145         Debug( LDAP_DEBUG_ARGS,
146             "do_modrdn: dn (%s) newrdn (%s) newsuperior (%s)\n",
147                 dn.bv_val, newrdn.bv_val,
148                 newSuperior.bv_len ? newSuperior.bv_val : "" );
149 #endif
150
151         if ( ber_scanf( op->o_ber, /*{*/ "}") == LBER_ERROR ) {
152 #ifdef NEW_LOGGING
153                 LDAP_LOG( OPERATION, ERR, "do_modrdn: ber_scanf failed\n", 0, 0, 0 );
154 #else
155                 Debug( LDAP_DEBUG_ANY, "do_modrdn: ber_scanf failed\n", 0, 0, 0 );
156 #endif
157
158                 send_ldap_discon( op, rs,
159                         LDAP_PROTOCOL_ERROR, "decoding error" );
160                 rs->sr_err = SLAPD_DISCONNECT;
161                 goto cleanup;
162         }
163
164         if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
165 #ifdef NEW_LOGGING
166                 LDAP_LOG( OPERATION, ERR, "do_modrdn: get_ctrls failed\n", 0, 0, 0 );
167 #else
168                 Debug( LDAP_DEBUG_ANY, "do_modrdn: get_ctrls failed\n", 0, 0, 0 );
169 #endif
170
171                 /* get_ctrls has sent results.  Now clean up. */
172                 goto cleanup;
173         } 
174
175         rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx );
176         if( rs->sr_err != LDAP_SUCCESS ) {
177 #ifdef NEW_LOGGING
178                 LDAP_LOG( OPERATION, INFO, 
179                         "do_modrdn: conn %d  invalid dn (%s)\n",
180                         op->o_connid, dn.bv_val, 0 );
181 #else
182                 Debug( LDAP_DEBUG_ANY,
183                         "do_modrdn: invalid dn (%s)\n", dn.bv_val, 0, 0 );
184 #endif
185                 send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
186                 goto cleanup;
187         }
188
189         if( op->o_req_ndn.bv_len == 0 ) {
190 #ifdef NEW_LOGGING
191                 LDAP_LOG( OPERATION, ERR,
192                         "do_modrdn:  attempt to modify root DSE.\n", 0, 0, 0 );
193 #else
194                 Debug( LDAP_DEBUG_ANY, "do_modrdn: root dse!\n", 0, 0, 0 );
195 #endif
196
197                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
198                         "cannot rename the root DSE" );
199                 goto cleanup;
200
201         } else if ( bvmatch( &op->o_req_ndn, &global_schemandn ) ) {
202 #ifdef NEW_LOGGING
203                 LDAP_LOG( OPERATION, ERR,
204                         "do_modrdn: attempt to modify subschema subentry: %s (%ld)\n",
205                         global_schemandn.bv_val, (long) global_schemandn.bv_len, 0 );
206 #else
207                 Debug( LDAP_DEBUG_ANY, "do_modrdn: subschema subentry: %s (%ld)\n",
208                         global_schemandn.bv_val, (long) global_schemandn.bv_len, 0 );
209 #endif
210
211                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
212                         "cannot rename subschema subentry" );
213                 goto cleanup;
214         }
215
216         /* FIXME: should have/use rdnPretty / rdnNormalize routines */
217
218         rs->sr_err = dnPrettyNormal( NULL, &newrdn, &op->orr_newrdn, &op->orr_nnewrdn, op->o_tmpmemctx );
219         if( rs->sr_err != LDAP_SUCCESS ) {
220 #ifdef NEW_LOGGING
221                 LDAP_LOG( OPERATION, INFO, 
222                         "do_modrdn: conn %d  invalid newrdn (%s)\n",
223                         op->o_connid, newrdn.bv_val, 0 );
224 #else
225                 Debug( LDAP_DEBUG_ANY,
226                         "do_modrdn: invalid newrdn (%s)\n", newrdn.bv_val, 0, 0 );
227 #endif
228                 send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid new RDN" );
229                 goto cleanup;
230         }
231
232         if( rdnValidate( &op->orr_newrdn ) != LDAP_SUCCESS ) {
233 #ifdef NEW_LOGGING
234                 LDAP_LOG( OPERATION, ERR, 
235                         "do_modrdn: invalid rdn (%s).\n", op->orr_newrdn.bv_val, 0, 0 );
236 #else
237                 Debug( LDAP_DEBUG_ANY, "do_modrdn: invalid rdn (%s)\n",
238                         op->orr_newrdn.bv_val, 0, 0 );
239 #endif
240
241                 send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid new RDN" );
242                 goto cleanup;
243         }
244
245         if( op->orr_newSup ) {
246                 rs->sr_err = dnPrettyNormal( NULL, &newSuperior, &pnewSuperior,
247                         &nnewSuperior, op->o_tmpmemctx );
248                 if( rs->sr_err != LDAP_SUCCESS ) {
249 #ifdef NEW_LOGGING
250                         LDAP_LOG( OPERATION, INFO, 
251                                 "do_modrdn: conn %d  invalid newSuperior (%s)\n",
252                                 op->o_connid, newSuperior.bv_val, 0 );
253 #else
254                         Debug( LDAP_DEBUG_ANY,
255                                 "do_modrdn: invalid newSuperior (%s)\n",
256                                 newSuperior.bv_val, 0, 0 );
257 #endif
258                         send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid newSuperior" );
259                         goto cleanup;
260                 }
261         }
262
263         Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu MODRDN dn=\"%s\"\n",
264             op->o_connid, op->o_opid, op->o_req_dn.bv_val, 0, 0 );
265
266         manageDSAit = get_manageDSAit( op );
267
268         /*
269          * We could be serving multiple database backends.  Select the
270          * appropriate one, or send a referral to our "referral server"
271          * if we don't hold it.
272          */
273         if ( (op->o_bd = select_backend( &op->o_req_ndn, manageDSAit, 0 )) == NULL ) {
274                 rs->sr_ref = referral_rewrite( default_referral,
275                         NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
276                 if (!rs->sr_ref) rs->sr_ref = default_referral;
277
278                 if ( rs->sr_ref != NULL ) {
279                         rs->sr_err = LDAP_REFERRAL;
280                         send_ldap_result( op, rs );
281
282                         if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
283                 } else {
284                         send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
285                                         "referral missing" );
286                 }
287                 goto cleanup;
288         }
289
290         /* check restrictions */
291         if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
292                 send_ldap_result( op, rs );
293                 goto cleanup;
294         }
295
296         /* check for referrals */
297         if ( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
298                 goto cleanup;
299         }
300
301         /* Make sure that the entry being changed and the newSuperior are in 
302          * the same backend, otherwise we return an error.
303          */
304         if( op->orr_newSup ) {
305                 newSuperior_be = select_backend( &nnewSuperior, 0, 0 );
306
307                 if ( newSuperior_be != op->o_bd ) {
308                         /* newSuperior is in different backend */
309                         send_ldap_error( op, rs, LDAP_AFFECTS_MULTIPLE_DSAS,
310                                 "cannot rename between DSAs" );
311
312                         goto cleanup;
313                 }
314         }
315
316 #if defined( LDAP_SLAPI )
317 #define pb      op->o_pb
318         if ( pb ) {
319                 slapi_int_pblock_set_operation( pb, op );
320                 slapi_pblock_set( pb, SLAPI_MODRDN_TARGET, (void *)dn.bv_val );
321                 slapi_pblock_set( pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn.bv_val );
322                 slapi_pblock_set( pb, SLAPI_MODRDN_NEWSUPERIOR,
323                                 (void *)newSuperior.bv_val );
324                 slapi_pblock_set( pb, SLAPI_MODRDN_DELOLDRDN, (void *)deloldrdn );
325                 slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)manageDSAit );
326
327                 rs->sr_err = slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_PRE_MODRDN_FN, pb );
328                 if ( rs->sr_err < 0 ) {
329                         /*
330                          * A preoperation plugin failure will abort the
331                          * entire operation.
332                          */
333 #ifdef NEW_LOGGING
334                         LDAP_LOG( OPERATION, INFO, "do_modrdn: modrdn preoperation plugin "
335                                         "failed\n", 0, 0, 0 );
336 #else
337                         Debug(LDAP_DEBUG_TRACE, "do_modrdn: modrdn preoperation plugin "
338                                         "failed.\n", 0, 0, 0);
339 #endif
340                         if ( ( slapi_pblock_get( pb, SLAPI_RESULT_CODE, (void *)&rs->sr_err ) != 0 ) ||
341                                  rs->sr_err == LDAP_SUCCESS ) {
342                                 rs->sr_err = LDAP_OTHER;
343                         }
344                         goto cleanup;
345                 }
346         }
347 #endif /* defined( LDAP_SLAPI ) */
348
349         /*
350          * do the modrdn if 1 && (2 || 3)
351          * 1) there is a modrdn function implemented in this backend;
352          * 2) this backend is master for what it holds;
353          * 3) it's a replica and the dn supplied is the update_ndn.
354          */
355         if ( op->o_bd->be_modrdn ) {
356                 /* do the update here */
357                 int repl_user = be_isupdate( op->o_bd, &op->o_ndn );
358 #ifndef SLAPD_MULTIMASTER
359                 if ( LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo ) &&
360                         ( !op->o_bd->be_update_ndn.bv_len || repl_user ))
361 #else
362                 if ( LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo ))
363 #endif
364                 {
365                         slap_callback cb = { NULL, slap_replog_cb, NULL, NULL };
366                         op->orr_deleteoldrdn = deloldrdn;
367 #ifdef SLAPD_MULTIMASTER
368                         if ( !op->o_bd->be_update_ndn.bv_len || !repl_user )
369 #endif
370                         {
371                                 cb.sc_next = op->o_callback;
372                                 op->o_callback = &cb;
373                         }
374                         op->o_bd->be_modrdn( op, rs );
375
376 #ifndef SLAPD_MULTIMASTER
377                 } else {
378                         BerVarray defref = NULL;
379                         if ( !LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo )) {
380                                 syncinfo_t *si;
381                                 LDAP_STAILQ_FOREACH( si, &op->o_bd->be_syncinfo, si_next ) {
382                                         struct berval tmpbv;
383                                         ber_dupbv( &tmpbv, &si->si_provideruri_bv[0] );
384                                         ber_bvarray_add( &defref, &tmpbv );
385                                 }
386                         } else {
387                                 defref = op->o_bd->be_update_refs
388                                         ? op->o_bd->be_update_refs : default_referral;
389                         }
390                         if ( defref != NULL ) {
391                                 rs->sr_ref = referral_rewrite( defref,
392                                         NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
393                                 if (!rs->sr_ref) rs->sr_ref = defref;
394
395                                 rs->sr_err = LDAP_REFERRAL;
396                                 send_ldap_result( op, rs );
397
398                                 if (rs->sr_ref != defref) ber_bvarray_free( rs->sr_ref );
399                         } else {
400                                 send_ldap_error( op, rs,
401                                         LDAP_UNWILLING_TO_PERFORM,
402                                         "referral missing" );
403                         }
404 #endif
405                 }
406         } else {
407                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
408                         "operation not supported within namingContext" );
409         }
410
411 #if defined( LDAP_SLAPI )
412         if ( pb != NULL && slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_POST_MODRDN_FN, pb ) < 0 ) {
413 #ifdef NEW_LOGGING
414                 LDAP_LOG( OPERATION, INFO, "do_modrdn: modrdn postoperation plugins "
415                                 "failed\n", 0, 0, 0 );
416 #else
417                 Debug(LDAP_DEBUG_TRACE, "do_modrdn: modrdn postoperation plugins "
418                                 "failed.\n", 0, 0, 0);
419 #endif
420         }
421 #endif /* defined( LDAP_SLAPI ) */
422
423 cleanup:
424
425         slap_graduate_commit_csn( op );
426
427         op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
428         op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
429
430         op->o_tmpfree( op->orr_newrdn.bv_val, op->o_tmpmemctx );        
431         op->o_tmpfree( op->orr_nnewrdn.bv_val, op->o_tmpmemctx );       
432
433         if ( pnewSuperior.bv_val ) op->o_tmpfree( pnewSuperior.bv_val, op->o_tmpmemctx );
434         if ( nnewSuperior.bv_val ) op->o_tmpfree( nnewSuperior.bv_val, op->o_tmpmemctx );
435
436         return rs->sr_err;
437 }
438
439 int
440 slap_modrdn2mods(
441         Operation       *op,
442         SlapReply       *rs,
443         Entry           *e,
444         LDAPRDN         old_rdn,
445         LDAPRDN         new_rdn,
446         Modifications   **pmod )
447 {
448         Modifications   *mod = NULL;
449         Modifications   **modtail = &mod;
450         int             a_cnt, d_cnt;
451         int repl_user;
452
453         assert( new_rdn != NULL );
454         assert( !op->orr_deleteoldrdn || old_rdn != NULL );
455
456         repl_user = be_isupdate( op->o_bd, &op->o_ndn );
457
458         /* Add new attribute values to the entry */
459         for ( a_cnt = 0; new_rdn[a_cnt]; a_cnt++ ) {
460                 AttributeDescription    *desc = NULL;
461                 Modifications           *mod_tmp;
462
463                 rs->sr_err = slap_bv2ad( &new_rdn[a_cnt]->la_attr, &desc, &rs->sr_text );
464
465                 if ( rs->sr_err != LDAP_SUCCESS ) {
466 #ifdef NEW_LOGGING
467                         LDAP_LOG ( OPERATION, ERR, 
468                                 "slap_modrdn2modlist: %s: %s (new)\n", 
469                                 rs->sr_text, 
470                                 new_rdn[ a_cnt ]->la_attr.bv_val, 0 );
471 #else
472                         Debug( LDAP_DEBUG_TRACE,
473                                 "slap_modrdn2modlist: %s: %s (new)\n",
474                                 rs->sr_text, 
475                                 new_rdn[ a_cnt ]->la_attr.bv_val, 0 );
476 #endif
477                         goto done;              
478                 }
479
480                 /* ACL check of newly added attrs */
481                 if ( op->o_bd && !access_allowed( op, e, desc,
482                         &new_rdn[a_cnt]->la_value, ACL_WRITE, NULL ) ) {
483 #ifdef NEW_LOGGING
484                         LDAP_LOG ( OPERATION, ERR, 
485                                 "slap_modrdn2modlist: access to attr \"%s\" "
486                                 "(new) not allowed\n", 
487                                 new_rdn[a_cnt]->la_attr.bv_val, 0, 0 );
488 #else
489                         Debug( LDAP_DEBUG_TRACE,
490                                 "slap_modrdn2modlist: access to attr \"%s\" "
491                                 "(new) not allowed\n", 
492                                 new_rdn[ a_cnt ]->la_attr.bv_val, 0, 0 );
493 #endif
494                         rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
495                         goto done;
496                 }
497
498                 /* Apply modification */
499                 mod_tmp = ( Modifications * )ch_malloc( sizeof( Modifications )
500                         + 4 * sizeof( struct berval ) );
501                 mod_tmp->sml_desc = desc;
502                 mod_tmp->sml_values = ( BerVarray )( mod_tmp + 1 );
503                 mod_tmp->sml_values[0] = new_rdn[a_cnt]->la_value;
504                 mod_tmp->sml_values[1].bv_val = NULL;
505                 if( desc->ad_type->sat_equality->smr_normalize) {
506                         mod_tmp->sml_nvalues = &mod_tmp->sml_values[2];
507                         (void) (*desc->ad_type->sat_equality->smr_normalize)(
508                                 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
509                                 desc->ad_type->sat_syntax,
510                                 desc->ad_type->sat_equality,
511                                 &mod_tmp->sml_values[0],
512                                 &mod_tmp->sml_nvalues[0], op->o_tmpmemctx );
513                         mod_tmp->sml_nvalues[1].bv_val = NULL;
514                 } else {
515                         mod_tmp->sml_nvalues = NULL;
516                 }
517                 mod_tmp->sml_op = SLAP_MOD_SOFTADD;
518                 mod_tmp->sml_next = mod;
519                 mod = mod_tmp;
520         }
521
522         /* Remove old rdn value if required */
523         if ( op->orr_deleteoldrdn ) {
524                 for ( d_cnt = 0; old_rdn[d_cnt]; d_cnt++ ) {
525                         AttributeDescription    *desc = NULL;
526                         Modifications           *mod_tmp;
527
528                         rs->sr_err = slap_bv2ad( &old_rdn[d_cnt]->la_attr, &desc, &rs->sr_text );
529                         if ( rs->sr_err != LDAP_SUCCESS ) {
530 #ifdef NEW_LOGGING
531                                 LDAP_LOG ( OPERATION, ERR, 
532                                         "slap_modrdn2modlist: %s: %s (old)\n", 
533                                         rs->sr_text, 
534                                         old_rdn[d_cnt]->la_attr.bv_val, 
535                                         0 );
536 #else
537                                 Debug( LDAP_DEBUG_TRACE,
538                                         "slap_modrdn2modlist: %s: %s (old)\n",
539                                         rs->sr_text, 
540                                         old_rdn[d_cnt]->la_attr.bv_val, 
541                                         0 );
542 #endif
543                                 goto done;              
544                         }
545
546                         /* ACL check of newly added attrs */
547                         if ( op->o_bd && !access_allowed( op, e, desc,
548                                 &old_rdn[d_cnt]->la_value, ACL_WRITE, 
549                                 NULL ) ) {
550 #ifdef NEW_LOGGING
551                                 LDAP_LOG ( OPERATION, ERR, 
552                                         "slap_modrdn2modlist: access "
553                                         "to attr \"%s\" (old) not allowed\n", 
554                                         old_rdn[ d_cnt ]->la_attr.bv_val, 
555                                         0, 0 );
556 #else
557                                 Debug( LDAP_DEBUG_TRACE,
558                                         "slap_modrdn2modlist: access "
559                                         "to attr \"%s\" (old) not allowed\n", 
560                                         old_rdn[ d_cnt ]->la_attr.bv_val,
561                                         0, 0 );
562 #endif
563                                 rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
564                                 goto done;
565                         }
566
567                         /* Apply modification */
568                         mod_tmp = ( Modifications * )ch_malloc( sizeof( Modifications )
569                                 + 4 * sizeof ( struct berval ) );
570                         mod_tmp->sml_desc = desc;
571                         mod_tmp->sml_values = ( BerVarray )(mod_tmp+1);
572                         mod_tmp->sml_values[0] = old_rdn[d_cnt]->la_value;
573                         mod_tmp->sml_values[1].bv_val = NULL;
574                         if( desc->ad_type->sat_equality->smr_normalize) {
575                                 mod_tmp->sml_nvalues = &mod_tmp->sml_values[2];
576                                 (void) (*desc->ad_type->sat_equality->smr_normalize)(
577                                         SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
578                                         desc->ad_type->sat_syntax,
579                                         desc->ad_type->sat_equality,
580                                         &mod_tmp->sml_values[0],
581                                         &mod_tmp->sml_nvalues[0], op->o_tmpmemctx );
582                                 mod_tmp->sml_nvalues[1].bv_val = NULL;
583                         } else {
584                                 mod_tmp->sml_nvalues = NULL;
585                         }
586                         mod_tmp->sml_op = LDAP_MOD_DELETE;
587                         mod_tmp->sml_next = mod;
588                         mod = mod_tmp;
589                 }
590         }
591         
592 done:
593
594         if ( !repl_user ) {
595                 char textbuf[ SLAP_TEXT_BUFLEN ];
596                 size_t textlen = sizeof textbuf;
597
598                 for( modtail = &mod;
599                         *modtail != NULL;
600                         modtail = &(*modtail)->sml_next )
601                 {
602                         /* empty */
603                 }
604
605                 rs->sr_err = slap_mods_opattrs( op, mod, modtail, &rs->sr_text, textbuf, textlen );
606         }
607
608         /* LDAP v2 supporting correct attribute handling. */
609         if ( rs->sr_err != LDAP_SUCCESS && mod != NULL ) {
610                 Modifications *tmp;
611                 for ( ; mod; mod = tmp ) {
612                         tmp = mod->sml_next;
613                         ch_free( mod );
614                 }
615         }
616
617         *pmod = mod;
618
619         return rs->sr_err;
620 }