+
+ } else if ( attr->a_desc == slap_schema.si_ad_objectClass
+ || attr->a_desc == slap_schema.si_ad_structuralObjectClass ) {
+ int i, last;
+
+ for ( last = 0; attr->a_vals[last].bv_val; last++ ) ;
+ for ( i = 0, bv = attr->a_vals; bv->bv_val; bv++, i++ ) {
+ ldap_back_map(&li->oc_map, bv, &mapped,
+ BACKLDAP_REMAP);
+ if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') {
+ LBER_FREE(bv->bv_val);
+ bv->bv_val = NULL;
+ if (--last < 0)
+ break;
+ *bv = attr->a_vals[last];
+ attr->a_vals[last].bv_val = NULL;
+ i--;
+ } else if ( mapped.bv_val != bv->bv_val ) {
+ /*
+ * FIXME: after LBER_FREEing
+ * the value is replaced by
+ * ch_alloc'ed memory
+ */
+ LBER_FREE(bv->bv_val);
+ ber_dupbv( bv, &mapped );
+ }
+ }
+
+ /*
+ * It is necessary to try to rewrite attributes with
+ * dn syntax because they might be used in ACLs as
+ * members of groups; since ACLs are applied to the
+ * rewritten stuff, no dn-based subject clause could
+ * be used at the ldap backend side (see
+ * http://www.OpenLDAP.org/faq/data/cache/452.html)
+ * The problem can be overcome by moving the dn-based
+ * ACLs to the target directory server, and letting
+ * everything pass thru the ldap backend.
+ */
+ } else if ( strcmp( attr->a_desc->ad_type->sat_syntax->ssyn_oid,
+ SLAPD_DN_SYNTAX ) == 0 ) {
+ int i;
+ for ( i = 0, bv = attr->a_vals; bv->bv_val; bv++, i++ ) {
+ struct berval newval;
+
+#ifdef ENABLE_REWRITE
+ switch ( rewrite_session( li->rwinfo,
+ "searchResult",
+ bv->bv_val,
+ lc->conn,
+ &newval.bv_val )) {
+ case REWRITE_REGEXEC_OK:
+ /* left as is */
+ if ( newval.bv_val == NULL ) {
+ break;
+ }
+ newval.bv_len = strlen( newval.bv_val );
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_LDAP, DETAIL1,
+ "[rw] searchResult on attr=%s: \"%s\" -> \"%s\"\n",
+ attr->a_desc->ad_type->sat_cname.bv_val,
+ bv->bv_val, newval.bv_val );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ARGS,
+ "rw> searchResult on attr=%s: \"%s\" -> \"%s\"\n",
+ attr->a_desc->ad_type->sat_cname.bv_val,
+ bv->bv_val, newval.bv_val );
+#endif /* !NEW_LOGGING */
+ free( bv->bv_val );
+ *bv = newval;
+ break;
+
+ case REWRITE_REGEXEC_UNWILLING:
+
+ case REWRITE_REGEXEC_ERR:
+ /*
+ * FIXME: better give up,
+ * skip the attribute
+ * or leave it untouched?
+ */
+ break;
+ }
+#else /* !ENABLE_REWRITE */
+ ldap_back_dn_massage( li, bv, &newval, 0, 0 );
+ *bv = newval;
+#endif /* !ENABLE_REWRITE */
+ }
+ }
+