]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/bconfig.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add note about contrib/slapd-modules
[openldap] / servers / slapd / bconfig.c
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index b63078ecb97b2b7afe6893a5ea4f6118838b802f..3d3771b838df86ebf92e2d0e77fb966ebf888561 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005 The OpenLDAP Foundation.
+ * Copyright 2005-2006 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -40,8 +40,6 @@
 static struct berval config_rdn = BER_BVC("cn=config");
 static struct berval schema_rdn = BER_BVC("cn=schema");
 
-#define        SLAP_X_ORDERED_FMT      "{%d}"
-
 #ifdef SLAPD_MODULES
 typedef struct modpath_s {
        struct modpath_s *mp_next;
@@ -71,12 +69,6 @@ typedef struct {
        int             cb_use_ldif;
 } CfBackInfo;
 
-/* These do nothing in slapd, they're kept only to make them
- * editable here.
- */
-static char *replica_pidFile, *replica_argsFile;
-static int replicationInterval;
-
 static char    *passwd_salt;
 static char    *logfileName;
 #ifdef SLAP_AUTH_REWRITE
@@ -151,6 +143,9 @@ enum {
        CFG_DIT,
        CFG_ATTR,
        CFG_ATOPT,
+       CFG_REPLICA_ARGSFILE,
+       CFG_REPLICA_PIDFILE,
+       CFG_REPLICATIONINTERVAL,
        CFG_REPLOG,
        CFG_ROOTDSE,
        CFG_LOGFILE,
@@ -186,19 +181,37 @@ static OidRec OidMacros[] = {
        { "OLcfgDbOc", "OLcfgOc:2" },
        { "OLcfgOvOc", "OLcfgOc:3" },
        { "OMsyn", "1.3.6.1.4.1.1466.115.121.1" },
-       { "OMsInteger", "OMsyn:27" },
        { "OMsBoolean", "OMsyn:7" },
        { "OMsDN", "OMsyn:12" },
        { "OMsDirectoryString", "OMsyn:15" },
+       { "OMsInteger", "OMsyn:27" },
+       { "OMsOID", "OMsyn:38" },
        { "OMsOctetString", "OMsyn:40" },
        { NULL, NULL }
 };
 
 /*
+ * Backend/Database registry
+ *
  * OLcfg{Bk|Db}{Oc|At}:0               -> common
- * OLcfg{Bk|Db}{Oc|At}:1               -> bdb
- * OLcfg{Bk|Db}{Oc|At}:2               -> ldif
- * OLcfg{Bk|Db}{Oc|At}:3               -> ldap?
+ * OLcfg{Bk|Db}{Oc|At}:1               -> back-bdb(/back-hdb)
+ * OLcfg{Bk|Db}{Oc|At}:2               -> back-ldif
+ * OLcfg{Bk|Db}{Oc|At}:3               -> back-ldap
+ */
+
+/*
+ * Overlay registry
+ *
+ * OLcfgOv{Oc|At}:1                    -> syncprov
+ * OLcfgOv{Oc|At}:2                    -> pcache
+ * OLcfgOv{Oc|At}:3                    -> chain
+ * OLcfgOv{Oc|At}:4                    -> accesslog
+ * OLcfgOv{Oc|At}:5                    -> valsort
+ * (FIXME: separate arc for contribware?)
+ * OLcfgOv{Oc|At}:6                    -> smbk5pwd
+ * OLcfgOv{Oc|At}:7                    -> distproc
+ * OLcfgOv{Oc|At}:8                    -> dynlist
+ * OLcfgOv{Oc|At}:9                    -> dds
  */
 
 /* alphabetical ordering */
@@ -234,7 +247,7 @@ static ConfigTable config_back_cf_table[] = {
                &config_generic, "( OLcfgGlAt:5 NAME 'olcAttributeOptions' "
                        "EQUALITY caseIgnoreMatch "
                        "SYNTAX OMsDirectoryString )", NULL, NULL },
-       { "attribute",  "attribute", 2, 0, 9,
+       { "attribute",  "attribute", 2, 0, STRLENOF( "attribute" ),
                ARG_PAREN|ARG_MAGIC|CFG_ATTR|ARG_NO_DELETE|ARG_NO_INSERT,
                &config_generic, "( OLcfgGlAt:4 NAME 'olcAttributeTypes' "
                        "DESC 'OpenLDAP attributeTypes' "
@@ -396,14 +409,14 @@ static ConfigTable config_back_cf_table[] = {
        { "replica", "host or uri", 2, 0, 0, ARG_DB|ARG_MAGIC,
                &config_replica, "( OLcfgDbAt:0.7 NAME 'olcReplica' "
                        "SUP labeledURI X-ORDERED 'VALUES' )", NULL, NULL },
-       { "replica-argsfile", NULL, 0, 0, 0, ARG_STRING,
-               &replica_argsFile, "( OLcfgGlAt:43 NAME 'olcReplicaArgsFile' "
+       { "replica-argsfile", NULL, 0, 0, 0, ARG_MAY_DB|ARG_MAGIC|ARG_STRING|CFG_REPLICA_ARGSFILE,
+               &config_generic, "( OLcfgGlAt:43 NAME 'olcReplicaArgsFile' "
                        "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
-       { "replica-pidfile", NULL, 0, 0, 0, ARG_STRING,
-               &replica_pidFile, "( OLcfgGlAt:44 NAME 'olcReplicaPidFile' "
+       { "replica-pidfile", NULL, 0, 0, 0, ARG_MAY_DB|ARG_MAGIC|ARG_STRING|CFG_REPLICA_PIDFILE,
+               &config_generic, "( OLcfgGlAt:44 NAME 'olcReplicaPidFile' "
                        "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
-       { "replicationInterval", NULL, 0, 0, 0, ARG_INT,
-               &replicationInterval, "( OLcfgGlAt:45 NAME 'olcReplicationInterval' "
+       { "replicationInterval", NULL, 0, 0, 0, ARG_MAY_DB|ARG_MAGIC|ARG_INT|CFG_REPLICATIONINTERVAL,
+               &config_generic, "( OLcfgGlAt:45 NAME 'olcReplicationInterval' "
                        "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
        { "replogfile", "filename", 2, 2, 0, ARG_MAY_DB|ARG_MAGIC|ARG_STRING|CFG_REPLOG,
                &config_generic, "( OLcfgGlAt:46 NAME 'olcReplogFile' "
@@ -622,7 +635,6 @@ static ConfigOCs cf_ocs[] = {
                 "olcLogLevel $ "
                 "olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ "
                 "olcPluginLogFile $ olcReadOnly $ olcReferral $ "
-                "olcReplicaPidFile $ olcReplicaArgsFile $ olcReplicationInterval $ "
                 "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
                 "olcRootDSE $ "
                 "olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
@@ -654,6 +666,7 @@ static ConfigOCs cf_ocs[] = {
                "MUST olcDatabase "
                "MAY ( olcSuffix $ olcSubordinate $ olcAccess $ olcLastMod $ olcLimits $ "
                 "olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ "
+                "olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ "
                 "olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ "
                 "olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ "
                 "olcTimeLimit $ olcUpdateDN $ olcUpdateRef ) )",
@@ -721,9 +734,16 @@ config_generic(ConfigArgs *c) {
                                int i;
 
                                for ( i=0; c->be->be_limits[i]; i++ ) {
-                                       bv.bv_len = sprintf( buf, SLAP_X_ORDERED_FMT, i );
-                                       bv.bv_val = buf+bv.bv_len;
-                                       limits_unparse( c->be->be_limits[i], &bv );
+                                       bv.bv_len = snprintf( buf, sizeof( buf ), SLAP_X_ORDERED_FMT, i );
+                                       if ( bv.bv_len >= sizeof( buf ) ) {
+                                               ber_bvarray_free_x( c->rvalue_vals, NULL );
+                                               c->rvalue_vals = NULL;
+                                               rc = 1;
+                                               break;
+                                       }
+                                       bv.bv_val = buf + bv.bv_len;
+                                       limits_unparse( c->be->be_limits[i], &bv,
+                                                       sizeof( buf ) - ( bv.bv_val - buf ) );
                                        bv.bv_len += bv.bv_val - buf;
                                        bv.bv_val = buf;
                                        value_add_one( &c->rvalue_vals, &bv );
@@ -768,6 +788,9 @@ config_generic(ConfigArgs *c) {
                                rc = 1;
                        }
                        break;
+               case CFG_ATOPT:
+                       ad_unparse_options( &c->rvalue_vals );
+                       break;
                case CFG_OC: {
                        ConfigFile *cf = c->private;
                        if ( !cf )
@@ -807,7 +830,13 @@ config_generic(ConfigArgs *c) {
                        char *src, *dst, ibuf[11];
                        struct berval bv, abv;
                        for (i=0, a=c->be->be_acl; a; i++,a=a->acl_next) {
-                               abv.bv_len = sprintf( ibuf, SLAP_X_ORDERED_FMT, i );
+                               abv.bv_len = snprintf( ibuf, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
+                               if ( abv.bv_len >= sizeof( ibuf ) ) {
+                                       ber_bvarray_free_x( c->rvalue_vals, NULL );
+                                       c->rvalue_vals = NULL;
+                                       i = 0;
+                                       break;
+                               }
                                acl_unparse( a, &bv );
                                abv.bv_val = ch_malloc( abv.bv_len + bv.bv_len + 1 );
                                AC_MEMCPY( abv.bv_val, ibuf, abv.bv_len );
@@ -827,6 +856,21 @@ config_generic(ConfigArgs *c) {
                        rc = (!i);
                        break;
                }
+               case CFG_REPLICA_ARGSFILE:
+                       if ( c->be->be_replica_argsfile )
+                               c->value_string = ch_strdup( c->be->be_replica_argsfile );
+                       break;
+               case CFG_REPLICA_PIDFILE:
+                       if ( c->be->be_replica_pidfile )
+                               c->value_string = ch_strdup( c->be->be_replica_pidfile );
+                       break;
+               case CFG_REPLICATIONINTERVAL:
+                       if ( c->be->be_replicationinterval > 0 ) {
+                               c->value_int = c->be->be_replicationinterval;
+                       } else {
+                               rc = 1;
+                       }
+                       break;
                case CFG_REPLOG:
                        if ( c->be->be_replogfile )
                                c->value_string = ch_strdup( c->be->be_replogfile );
@@ -863,8 +907,14 @@ config_generic(ConfigArgs *c) {
                                for (i=0; !BER_BVISNULL(&mp->mp_loads[i]); i++) {
                                        struct berval bv;
                                        bv.bv_val = c->log;
-                                       bv.bv_len = sprintf( bv.bv_val, SLAP_X_ORDERED_FMT "%s", i,
+                                       bv.bv_len = snprintf( bv.bv_val, sizeof( c->log ),
+                                               SLAP_X_ORDERED_FMT "%s", i,
                                                mp->mp_loads[i].bv_val );
+                                       if ( bv.bv_len >= sizeof( c->log ) ) {
+                                               ber_bvarray_free_x( c->rvalue_vals, NULL );
+                                               c->rvalue_vals = NULL;
+                                               break;
+                                       }
                                        value_add_one( &c->rvalue_vals, &bv );
                                }
                        }
@@ -896,11 +946,18 @@ config_generic(ConfigArgs *c) {
 
                                idx.bv_val = ibuf;
                                for ( i=0; !BER_BVISNULL( &authz_rewrites[i] ); i++ ) {
-                                       idx.bv_len = sprintf( idx.bv_val, SLAP_X_ORDERED_FMT, i );
+                                       idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
+                                       if ( idx.bv_len >= sizeof( ibuf ) ) {
+                                               ber_bvarray_free_x( c->rvalue_vals, NULL );
+                                               c->rvalue_vals = NULL;
+                                               break;
+                                       }
                                        bv.bv_len = idx.bv_len + authz_rewrites[i].bv_len;
                                        bv.bv_val = ch_malloc( bv.bv_len + 1 );
-                                       strcpy( bv.bv_val, idx.bv_val );
-                                       strcpy( bv.bv_val+idx.bv_len, authz_rewrites[i].bv_val );
+                                       AC_MEMCPY( bv.bv_val, idx.bv_val, idx.bv_len );
+                                       AC_MEMCPY( &bv.bv_val[ idx.bv_len ],
+                                               authz_rewrites[i].bv_val,
+                                               authz_rewrites[i].bv_len + 1 );
                                        ber_bvarray_add( &c->rvalue_vals, &bv );
                                }
                        }
@@ -932,7 +989,7 @@ config_generic(ConfigArgs *c) {
                case CFG_MODLOAD:
                case CFG_AZREGEXP:
                case CFG_REWRITE:
-                       sprintf(c->log, "change requires slapd restart");
+                       snprintf(c->log, sizeof( c->log ), "change requires slapd restart");
                        break;
 
                case CFG_SALT:
@@ -940,6 +997,20 @@ config_generic(ConfigArgs *c) {
                        passwd_salt = NULL;
                        break;
 
+               case CFG_REPLICA_ARGSFILE:
+                       ch_free( c->be->be_replica_argsfile );
+                       c->be->be_replica_argsfile = NULL;
+                       break;
+
+               case CFG_REPLICA_PIDFILE:
+                       ch_free( c->be->be_replica_pidfile );
+                       c->be->be_replica_pidfile = NULL;
+                       break;
+
+               case CFG_REPLICATIONINTERVAL:
+                       c->be->be_replicationinterval = 0;
+                       break;
+
                case CFG_REPLOG:
                        ch_free( c->be->be_replogfile );
                        c->be->be_replogfile = NULL;
@@ -998,7 +1069,7 @@ config_generic(ConfigArgs *c) {
        switch(c->type) {
                case CFG_BACKEND:
                        if(!(c->bi = backend_info(c->argv[1]))) {
-                               sprintf( c->msg, "<%s> failed init", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> failed init", c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s (%s)!\n",
                                        c->log, c->msg, c->argv[1] );
                                return(1);
@@ -1014,9 +1085,9 @@ config_generic(ConfigArgs *c) {
                        } else if ( !strcasecmp( c->argv[1], "frontend" )) {
                                c->be = frontendDB;
                        } else {
-                               c->be = backend_db_init(c->argv[1]);
+                               c->be = backend_db_init(c->argv[1], NULL);
                                if ( !c->be ) {
-                                       sprintf( c->msg, "<%s> failed init", c->argv[0] );
+                                       snprintf( c->msg, sizeof( c->msg ), "<%s> failed init", c->argv[0] );
                                        Debug(LDAP_DEBUG_ANY, "%s: %s (%s)!\n",
                                                c->log, c->msg, c->argv[1] );
                                        return(1);
@@ -1029,12 +1100,21 @@ config_generic(ConfigArgs *c) {
                        break;
 
                case CFG_THREADS:
-                       ldap_pvt_thread_pool_maxthreads(&connection_pool, c->value_int);
+                       if ( c->value_int > 2 * SLAP_MAX_WORKER_THREADS ) {
+                               snprintf( c->msg, sizeof( c->msg ),
+                                       "warning, threads=%d larger than twice the default (2*%d=%d); YMMV",
+                                       c->value_int, SLAP_MAX_WORKER_THREADS, 2 * SLAP_MAX_WORKER_THREADS );
+                               Debug(LDAP_DEBUG_ANY, "%s: %s.\n",
+                                       c->log, c->msg, 0 );
+                       }
+                       if ( slapMode & SLAP_SERVER_MODE )
+                               ldap_pvt_thread_pool_maxthreads(&connection_pool, c->value_int);
                        connection_pool_max = c->value_int;     /* save for reference */
                        break;
 
                case CFG_TTHREADS:
-                       ldap_pvt_thread_pool_maxthreads(&connection_pool, c->value_int);
+                       if ( slapMode & SLAP_TOOL_MODE )
+                               ldap_pvt_thread_pool_maxthreads(&connection_pool, c->value_int);
                        slap_tool_thread_max = c->value_int;    /* save for reference */
                        break;
 
@@ -1059,7 +1139,7 @@ config_generic(ConfigArgs *c) {
                case CFG_AZPOLICY:
                        ch_free(c->value_string);
                        if (slap_sasl_setpolicy( c->argv[1] )) {
-                               sprintf( c->msg, "<%s> unable to parse value", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse value", c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                        c->log, c->msg, c->argv[1] );
                                return(1);
@@ -1134,18 +1214,85 @@ config_generic(ConfigArgs *c) {
                        break;
 
                case CFG_ACL:
-                       if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, c->valx) ) {
+                       if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, c->valx ) ) {
                                return 1;
                        }
                        break;
 
+               case CFG_REPLICA_ARGSFILE:
+                       if(SLAP_MONITOR(c->be)) {
+                               Debug(LDAP_DEBUG_ANY, "%s: "
+                                       "\"replica-argsfile\" should not be used "
+                                       "inside monitor database\n",
+                                       c->log, 0, 0);
+                               /* FIXME: should this be an error? */
+                               return(0);
+                       }
+
+                       if ( c->be->be_replica_argsfile != NULL ) {
+                               /* FIXME: error? */
+                               Debug(LDAP_DEBUG_ANY, "%s: "
+                                       "\"replica-argsfile\" already provided; "
+                                       "replacing \"%s\" with \"%s\".\n",
+                                       c->log, c->be->be_replica_argsfile, c->value_string );
+                               ch_free( c->be->be_replica_argsfile );
+                       }
+
+                       c->be->be_replica_argsfile = c->value_string;
+                       break;
+
+               case CFG_REPLICA_PIDFILE:
+                       if(SLAP_MONITOR(c->be)) {
+                               Debug(LDAP_DEBUG_ANY, "%s: "
+                                       "\"replica-pidfile\" should not be used "
+                                       "inside monitor database\n",
+                                       c->log, 0, 0);
+                               /* FIXME: should this be an error? */
+                               return(0);
+                       }
+
+                       if ( c->be->be_replica_pidfile != NULL ) {
+                               /* FIXME: error? */
+                               Debug(LDAP_DEBUG_ANY, "%s: "
+                                       "\"replica-pidfile\" already provided; "
+                                       "replacing \"%s\" with \"%s\".\n",
+                                       c->log, c->be->be_replica_pidfile, c->value_string );
+                               ch_free( c->be->be_replica_pidfile );
+                       }
+
+                       c->be->be_replica_pidfile = c->value_string;
+                       break;
+
+               case CFG_REPLICATIONINTERVAL:
+                       if(SLAP_MONITOR(c->be)) {
+                               Debug(LDAP_DEBUG_ANY, "%s: "
+                                       "\"replicationinterval\" should not be used "
+                                       "inside monitor database\n",
+                                       c->log, 0, 0);
+                               /* FIXME: should this be an error? */
+                               return(0);
+                       }
+
+                       c->be->be_replicationinterval = c->value_int;
+                       break;
+
                case CFG_REPLOG:
                        if(SLAP_MONITOR(c->be)) {
                                Debug(LDAP_DEBUG_ANY, "%s: "
                                        "\"replogfile\" should not be used "
                                        "inside monitor database\n",
                                        c->log, 0, 0);
-                               return(0);      /* FIXME: should this be an error? */
+                               /* FIXME: should this be an error? */
+                               return(0);
+                       }
+
+                       if ( c->be->be_replogfile != NULL ) {
+                               /* FIXME: error? */
+                               Debug(LDAP_DEBUG_ANY, "%s: "
+                                       "\"replogfile\" already provided; "
+                                       "replacing \"%s\" with \"%s\".\n",
+                                       c->log, c->be->be_replogfile, c->value_string );
+                               ch_free( c->be->be_replogfile );
                        }
 
                        c->be->be_replogfile = c->value_string;
@@ -1153,7 +1300,7 @@ config_generic(ConfigArgs *c) {
 
                case CFG_ROOTDSE:
                        if(read_root_dse_file(c->argv[1])) {
-                               sprintf( c->msg, "<%s> could not read file", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> could not read file", c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s %s\n",
                                        c->log, c->msg, c->argv[1] );
                                return(1);
@@ -1175,7 +1322,7 @@ config_generic(ConfigArgs *c) {
 
                case CFG_LASTMOD:
                        if(SLAP_NOLASTMODCMD(c->be)) {
-                               sprintf( c->msg, "<%s> not available for %s database",
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> not available for %s database",
                                        c->argv[0], c->be->bd_info->bi_type );
                                Debug(LDAP_DEBUG_ANY, "%s: %s\n",
                                        c->log, c->msg, 0 );
@@ -1189,7 +1336,7 @@ config_generic(ConfigArgs *c) {
 
                case CFG_SSTR_IF_MAX:
                        if (c->value_int < index_substr_if_minlen) {
-                               sprintf( c->msg, "<%s> invalid value", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> invalid value", c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s (%d)\n",
                                        c->log, c->msg, c->value_int );
                                return(1);
@@ -1199,7 +1346,7 @@ config_generic(ConfigArgs *c) {
 
                case CFG_SSTR_IF_MIN:
                        if (c->value_int > index_substr_if_maxlen) {
-                               sprintf( c->msg, "<%s> invalid value", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> invalid value", c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s (%d)\n",
                                        c->log, c->msg, c->value_int );
                                return(1);
@@ -1216,7 +1363,7 @@ config_generic(ConfigArgs *c) {
                                modcur = c->private;
                                /* This should never fail */
                                if ( module_path( modcur->mp_path.bv_val )) {
-                                       sprintf( c->msg, "<%s> module path no longer valid",
+                                       snprintf( c->msg, sizeof( c->msg ), "<%s> module path no longer valid",
                                                c->argv[0] );
                                        Debug(LDAP_DEBUG_ANY, "%s: %s (%s)\n",
                                                c->log, c->msg, modcur->mp_path.bv_val );
@@ -1286,7 +1433,7 @@ config_generic(ConfigArgs *c) {
                                /* quote all args but the first */
                                line = ldap_charray2str( c->argv, "\" \"" );
                                ber_str2bv( line, 0, 0, &bv );
-                               s = strchr( bv.bv_val, '"' );
+                               s = ber_bvchr( &bv, '"' );
                                assert( s != NULL );
                                /* move the trailing quote of argv[0] to the end */
                                AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
@@ -1303,13 +1450,10 @@ config_generic(ConfigArgs *c) {
 
 
                default:
-                       Debug( SLAPD_DEBUG_CONFIG_ERROR,
-                               "%s: unknown CFG_TYPE %d"
-                               SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+                       Debug( LDAP_DEBUG_ANY,
+                               "%s: unknown CFG_TYPE %d.\n",
                                c->log, c->type, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
                        return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 
        }
        return(0);
@@ -1406,14 +1550,14 @@ config_passwd_hash(ConfigArgs *c) {
        }
        for(i = 1; i < c->argc; i++) {
                if(!lutil_passwd_scheme(c->argv[i])) {
-                       sprintf( c->msg, "<%s> scheme not available", c->argv[0] );
+                       snprintf( c->msg, sizeof( c->msg ), "<%s> scheme not available", c->argv[0] );
                        Debug(LDAP_DEBUG_ANY, "%s: %s (%s)\n",
                                c->log, c->msg, c->argv[i]);
                } else {
                        ldap_charray_add(&default_passwd_hash, c->argv[i]);
                }
                if(!default_passwd_hash) {
-                       sprintf( c->msg, "<%s> no valid hashes found", c->argv[0] );
+                       snprintf( c->msg, sizeof( c->msg ), "<%s> no valid hashes found", c->argv[0] );
                        Debug(LDAP_DEBUG_ANY, "%s: %s\n",
                                c->log, c->msg, 0 );
                        return(1);
@@ -1449,14 +1593,13 @@ config_schema_dn(ConfigArgs *c) {
 static int
 config_sizelimit(ConfigArgs *c) {
        int i, rc = 0;
-       char *next;
        struct slap_limits_set *lim = &c->be->be_def_limit;
        if (c->op == SLAP_CONFIG_EMIT) {
                char buf[8192];
                struct berval bv;
                bv.bv_val = buf;
                bv.bv_len = 0;
-               limits_unparse_one( lim, SLAP_LIMIT_SIZE, &bv );
+               limits_unparse_one( lim, SLAP_LIMIT_SIZE, &bv, sizeof( buf ) );
                if ( !BER_BVISEMPTY( &bv ))
                        value_add_one( &c->rvalue_vals, &bv );
                else
@@ -1476,7 +1619,7 @@ config_sizelimit(ConfigArgs *c) {
                if(!strncasecmp(c->argv[i], "size", 4)) {
                        rc = limits_parse_one(c->argv[i], lim);
                        if ( rc ) {
-                               sprintf( c->msg, "<%s> unable to parse value", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse value", c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                        c->log, c->msg, c->argv[i]);
                                return(1);
@@ -1485,20 +1628,11 @@ config_sizelimit(ConfigArgs *c) {
                        if(!strcasecmp(c->argv[i], "unlimited")) {
                                lim->lms_s_soft = -1;
                        } else {
-                               lim->lms_s_soft = strtol(c->argv[i], &next, 0);
-                               if(next == c->argv[i]) {
-                                       sprintf( c->msg, "<%s> unable to parse limit", c->argv[0]);
+                               if ( lutil_atoix( &lim->lms_s_soft, c->argv[i], 0 ) != 0 ) {
+                                       snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse limit", c->argv[0]);
                                        Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                                c->log, c->msg, c->argv[i]);
                                        return(1);
-                               } else if(next[0] != '\0') {
-                                       Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: "
-                                               "trailing chars \"%s\" in \"sizelimit <limit>\" line"
-                                               SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-                                               c->log, next, 0);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
-                                       return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
                                }
                        }
                        lim->lms_s_hard = 0;
@@ -1510,14 +1644,13 @@ config_sizelimit(ConfigArgs *c) {
 static int
 config_timelimit(ConfigArgs *c) {
        int i, rc = 0;
-       char *next;
        struct slap_limits_set *lim = &c->be->be_def_limit;
        if (c->op == SLAP_CONFIG_EMIT) {
                char buf[8192];
                struct berval bv;
                bv.bv_val = buf;
                bv.bv_len = 0;
-               limits_unparse_one( lim, SLAP_LIMIT_TIME, &bv );
+               limits_unparse_one( lim, SLAP_LIMIT_TIME, &bv, sizeof( buf ) );
                if ( !BER_BVISEMPTY( &bv ))
                        value_add_one( &c->rvalue_vals, &bv );
                else
@@ -1533,7 +1666,7 @@ config_timelimit(ConfigArgs *c) {
                if(!strncasecmp(c->argv[i], "time", 4)) {
                        rc = limits_parse_one(c->argv[i], lim);
                        if ( rc ) {
-                               sprintf( c->msg, "<%s> unable to parse value", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse value", c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                        c->log, c->msg, c->argv[i]);
                                return(1);
@@ -1542,20 +1675,11 @@ config_timelimit(ConfigArgs *c) {
                        if(!strcasecmp(c->argv[i], "unlimited")) {
                                lim->lms_t_soft = -1;
                        } else {
-                               lim->lms_t_soft = strtol(c->argv[i], &next, 0);
-                               if(next == c->argv[i]) {
-                                       sprintf( c->msg, "<%s> unable to parse limit", c->argv[0]);
+                               if ( lutil_atoix( &lim->lms_t_soft, c->argv[i], 0 ) != 0 ) {
+                                       snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse limit", c->argv[0]);
                                        Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                                c->log, c->msg, c->argv[i]);
                                        return(1);
-                               } else if(next[0] != '\0') {
-                                       Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: "
-                                               "trailing chars \"%s\" in \"timelimit <limit>\" line"
-                                               SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-                                               c->log, next, 0);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
-                                       return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
                                }
                        }
                        lim->lms_t_hard = 0;
@@ -1574,12 +1698,10 @@ config_overlay(ConfigArgs *c) {
        }
        if(c->argv[1][0] == '-' && overlay_config(c->be, &c->argv[1][1])) {
                /* log error */
-               Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: (optional) %s overlay \"%s\" configuration failed"
-                       SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+               Debug( LDAP_DEBUG_ANY,
+                       "%s: (optional) %s overlay \"%s\" configuration failed.\n",
                        c->log, c->be == frontendDB ? "global " : "", &c->argv[1][1]);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
                return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
        } else if(overlay_config(c->be, c->argv[1])) {
                return(1);
        }
@@ -1698,17 +1820,18 @@ config_suffix(ConfigArgs *c)
                        int i = c->valx;
                        ch_free( c->be->be_suffix[i].bv_val );
                        ch_free( c->be->be_nsuffix[i].bv_val );
-                       for (; c->be->be_suffix[i].bv_val; i++) {
+                       do {
                                c->be->be_suffix[i] = c->be->be_suffix[i+1];
                                c->be->be_nsuffix[i] = c->be->be_nsuffix[i+1];
-                       }
+                               i++;
+                       } while ( !BER_BVISNULL( &c->be->be_suffix[i] ) );
                }
                return 0;
        }
 
 #ifdef SLAPD_MONITOR_DN
        if(!strcasecmp(c->argv[1], SLAPD_MONITOR_DN)) {
-               sprintf( c->msg, "<%s> DN is reserved for monitoring slapd",
+               snprintf( c->msg, sizeof( c->msg ), "<%s> DN is reserved for monitoring slapd",
                        c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s (%s)\n",
                        c->log, c->msg, SLAPD_MONITOR_DN);
@@ -1720,13 +1843,9 @@ config_suffix(ConfigArgs *c)
        ndn = c->value_ndn;
        tbe = select_backend(&ndn, 0, 0);
        if(tbe == c->be) {
-               Debug( SLAPD_DEBUG_CONFIG_ERROR,
-                       "%s: suffix already served by this backend!"
-                       SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+               Debug( LDAP_DEBUG_ANY, "%s: suffix already served by this backend!.\n",
                        c->log, 0, 0);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
                return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
                free(pdn.bv_val);
                free(ndn.bv_val);
        } else if(tbe) {
@@ -1737,7 +1856,7 @@ config_suffix(ConfigArgs *c)
                        type = oi->oi_orig->bi_type;
                }
 
-               sprintf( c->msg, "<%s> namingContext \"%s\" already served by "
+               snprintf( c->msg, sizeof( c->msg ), "<%s> namingContext \"%s\" already served by "
                        "a preceding %s database serving namingContext",
                        c->argv[0], pdn.bv_val, type );
                Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
@@ -1801,7 +1920,7 @@ config_rootpw(ConfigArgs *c) {
 
        tbe = select_backend(&c->be->be_rootndn, 0, 0);
        if(tbe != c->be) {
-               sprintf( c->msg, "<%s> can only be set when rootdn is under suffix",
+               snprintf( c->msg, sizeof( c->msg ), "<%s> can only be set when rootdn is under suffix",
                        c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s\n",
                        c->log, c->msg, 0);
@@ -1825,7 +1944,7 @@ config_restrict(ConfigArgs *c) {
                { BER_BVC("modrdn"),            0 },
                { BER_BVC("delete"),            SLAP_RESTRICT_OP_DELETE },
                { BER_BVC("search"),            SLAP_RESTRICT_OP_SEARCH },
-               { BER_BVC("compare"),   SLAP_RESTRICT_OP_COMPARE },
+               { BER_BVC("compare"),           SLAP_RESTRICT_OP_COMPARE },
                { BER_BVC("read"),              SLAP_RESTRICT_OP_READS },
                { BER_BVC("write"),             SLAP_RESTRICT_OP_WRITES },
                { BER_BVC("extended"),  SLAP_RESTRICT_OP_EXTENDED },
@@ -1833,6 +1952,7 @@ config_restrict(ConfigArgs *c) {
                { BER_BVC("extended=" LDAP_EXOP_MODIFY_PASSWD ),        SLAP_RESTRICT_EXOP_MODIFY_PASSWD },
                { BER_BVC("extended=" LDAP_EXOP_X_WHO_AM_I ),           SLAP_RESTRICT_EXOP_WHOAMI },
                { BER_BVC("extended=" LDAP_EXOP_X_CANCEL ),             SLAP_RESTRICT_EXOP_CANCEL },
+               { BER_BVC("all"),               SLAP_RESTRICT_OP_ALL },
                { BER_BVNULL,   0 }
        };
 
@@ -1850,7 +1970,7 @@ config_restrict(ConfigArgs *c) {
        }
        i = verbs_to_mask( c->argc, c->argv, restrictable_ops, &restrictops );
        if ( i ) {
-               sprintf( c->msg, "<%s> unknown operation", c->argv[0] );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> unknown operation", c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s %s\n",
                        c->log, c->msg, c->argv[i]);
                return(1);
@@ -1870,6 +1990,7 @@ config_allows(ConfigArgs *c) {
                { BER_BVC("bind_anon_cred"),    SLAP_ALLOW_BIND_ANON_CRED },
                { BER_BVC("bind_anon_dn"),      SLAP_ALLOW_BIND_ANON_DN },
                { BER_BVC("update_anon"),       SLAP_ALLOW_UPDATE_ANON },
+               { BER_BVC("proxy_authz_anon"),  SLAP_ALLOW_PROXY_AUTHZ_ANON },
                { BER_BVNULL,   0 }
        };
        if (c->op == SLAP_CONFIG_EMIT) {
@@ -1885,7 +2006,7 @@ config_allows(ConfigArgs *c) {
        }
        i = verbs_to_mask(c->argc, c->argv, allowable_ops, &allows);
        if ( i ) {
-               sprintf( c->msg, "<%s> unknown feature", c->argv[0] );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> unknown feature", c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s %s\n",
                        c->log, c->msg, c->argv[i]);
                return(1);
@@ -1919,7 +2040,7 @@ config_disallows(ConfigArgs *c) {
        }
        i = verbs_to_mask(c->argc, c->argv, disallowable_ops, &disallows);
        if ( i ) {
-               sprintf( c->msg, "<%s> unknown feature", c->argv[0] );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> unknown feature", c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s %s\n",
                        c->log, c->msg, c->argv[i]);
                return(1);
@@ -1953,7 +2074,7 @@ config_requires(ConfigArgs *c) {
        }
        i = verbs_to_mask(c->argc, c->argv, requires_ops, &requires);
        if ( i ) {
-               sprintf( c->msg, "<%s> unknown feature", c->argv[0] );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> unknown feature", c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s %s\n",
                        c->log, c->msg, c->argv[i]);
                return(1);
@@ -1981,10 +2102,13 @@ loglevel_init( void )
                { BER_BVC("Stats2"),    LDAP_DEBUG_STATS2 },
                { BER_BVC("Shell"),     LDAP_DEBUG_SHELL },
                { BER_BVC("Parse"),     LDAP_DEBUG_PARSE },
+#if 0  /* no longer used (nor supported) */
                { BER_BVC("Cache"),     LDAP_DEBUG_CACHE },
                { BER_BVC("Index"),     LDAP_DEBUG_INDEX },
+#endif
                { BER_BVC("Sync"),      LDAP_DEBUG_SYNC },
-               { BER_BVNULL,   0 }
+               { BER_BVC("None"),      LDAP_DEBUG_NONE },
+               { BER_BVNULL,           0 }
        };
 
        return slap_verbmasks_init( &loglevel_ops, lo );
@@ -2020,6 +2144,43 @@ slap_loglevel_register( slap_mask_t m, struct berval *s )
        return rc;
 }
 
+int
+slap_loglevel_get( struct berval *s, int *l )
+{
+       int             rc;
+       unsigned long   i;
+       slap_mask_t     m;
+
+       if ( loglevel_ops == NULL ) {
+               loglevel_init();
+       }
+
+       for ( m = 0, i = 1; !BER_BVISNULL( &loglevel_ops[ i ].word ); i++ ) {
+               m |= loglevel_ops[ i ].mask;
+       }
+
+       m = ~m;
+
+       for ( i = 1; i <= ( 1 << ( sizeof( int ) * 8 - 1 ) ) && !( m & i ); i <<= 1 )
+               ;
+
+       if ( !( m & i ) ) {
+               return -1;
+       }
+
+       rc = slap_verbmasks_append( &loglevel_ops, i, s, loglevel_ignore );
+
+       if ( rc != 0 ) {
+               Debug( LDAP_DEBUG_ANY, "slap_loglevel_register(%lu, \"%s\") failed\n",
+                       i, s->bv_val, 0 );
+
+       } else {
+               *l = i;
+       }
+
+       return rc;
+}
+
 int
 str2loglevel( const char *s, int *l )
 {
@@ -2031,7 +2192,7 @@ str2loglevel( const char *s, int *l )
 
        i = verb_to_mask( s, loglevel_ops );
 
-       if ( BER_BVISNULL( &loglevel_ops[ i ].word) ) {
+       if ( BER_BVISNULL( &loglevel_ops[ i ].word ) ) {
                return -1;
        }
 
@@ -2077,7 +2238,6 @@ static int config_syslog;
 static int
 config_loglevel(ConfigArgs *c) {
        int i;
-       char *next;
 
        if ( loglevel_ops == NULL ) {
                loglevel_init();
@@ -2108,16 +2268,15 @@ config_loglevel(ConfigArgs *c) {
                int     level;
 
                if ( isdigit( c->argv[i][0] ) || c->argv[i][0] == '-' ) {
-                       level = strtol( c->argv[i], &next, 10 );
-                       if ( next == NULL || next[0] != '\0' ) {
-                               sprintf( c->msg, "<%s> unable to parse level", c->argv[0] );
+                       if( lutil_atoi( &level, c->argv[i] ) != 0 ) {
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse level", c->argv[0] );
                                Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                        c->log, c->msg, c->argv[i]);
                                return( 1 );
                        }
                } else {
                        if ( str2loglevel( c->argv[i], &level ) ) {
-                               sprintf( c->msg, "<%s> unknown level", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> unknown level", c->argv[0] );
                                Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                        c->log, c->msg, c->argv[i]);
                                return( 1 );
@@ -2154,7 +2313,7 @@ config_referral(ConfigArgs *c) {
                return 0;
        }
        if(validate_global_referral(c->argv[1])) {
-               sprintf( c->msg, "<%s> invalid URL", c->argv[0] );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> invalid URL", c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s (%s)\n",
                        c->log, c->msg, c->argv[1]);
                return(1);
@@ -2196,7 +2355,13 @@ config_security(ConfigArgs *c) {
                        tgt = (slap_ssf_t *)((char *)set + sec_keys[i].off);
                        if ( *tgt ) {
                                rc = 0;
-                               bv.bv_len = sprintf( numbuf, "%u", *tgt );
+                               bv.bv_len = snprintf( numbuf, sizeof( numbuf ), "%u", *tgt );
+                               if ( bv.bv_len >= sizeof( numbuf ) ) {
+                                       ber_bvarray_free_x( c->rvalue_vals, NULL );
+                                       c->rvalue_vals = NULL;
+                                       rc = 1;
+                                       break;
+                               }
                                bv.bv_len += sec_keys[i].key.bv_len;
                                bv.bv_val = ch_malloc( bv.bv_len + 1);
                                next = lutil_strcopy( bv.bv_val, sec_keys[i].key.bv_val );
@@ -2218,15 +2383,14 @@ config_security(ConfigArgs *c) {
                        }
                }
                if ( !tgt ) {
-                       sprintf( c->msg, "<%s> unknown factor", c->argv[0] );
+                       snprintf( c->msg, sizeof( c->msg ), "<%s> unknown factor", c->argv[0] );
                        Debug(LDAP_DEBUG_ANY, "%s: %s %s\n",
                                c->log, c->msg, c->argv[i]);
                        return(1);
                }
 
-               *tgt = strtol(src, &next, 10);
-               if(next == NULL || next[0] != '\0' ) {
-                       sprintf( c->msg, "<%s> unable to parse factor", c->argv[0] );
+               if ( lutil_atou( tgt, src ) != 0 ) {
+                       snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse factor", c->argv[0] );
                        Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                c->log, c->msg, c->argv[i]);
                        return(1);
@@ -2236,10 +2400,14 @@ config_security(ConfigArgs *c) {
 }
 
 char *
-anlist_unparse( AttributeName *an, char *ptr ) {
+anlist_unparse( AttributeName *an, char *ptr, ber_len_t buflen ) {
        int comma = 0;
+       char *start = ptr;
 
        for (; !BER_BVISNULL( &an->an_name ); an++) {
+               /* if buflen == 0, assume the buffer size has been 
+                * already checked otherwise */
+               if ( buflen > 0 && buflen - ( ptr - start ) < comma + an->an_name.bv_len ) return NULL;
                if ( comma ) *ptr++ = ',';
                ptr = lutil_strcopy( ptr, an->an_name.bv_val );
                comma = 1;
@@ -2255,16 +2423,23 @@ replica_unparse( struct slap_replica_info *ri, int i, struct berval *bv )
        struct berval bc = BER_BVNULL;
        char numbuf[32];
 
-       len = sprintf(numbuf, SLAP_X_ORDERED_FMT, i );
+       assert( !BER_BVISNULL( &ri->ri_bindconf.sb_uri ) );
+       
+       BER_BVZERO( bv );
+
+       len = snprintf(numbuf, sizeof( numbuf ), SLAP_X_ORDERED_FMT, i );
+       if ( len >= sizeof( numbuf ) ) {
+               /* FIXME: how can indicate error? */
+               return;
+       }
 
-       len += strlen( ri->ri_uri ) + STRLENOF("uri=");
        if ( ri->ri_nsuffix ) {
                for (i=0; !BER_BVISNULL( &ri->ri_nsuffix[i] ); i++) {
                        len += ri->ri_nsuffix[i].bv_len + STRLENOF(" suffix=\"\"");
                }
        }
        if ( ri->ri_attrs ) {
-               len += STRLENOF("attr");
+               len += STRLENOF(" attrs");
                if ( ri->ri_exclude ) len++;
                for (i=0; !BER_BVISNULL( &ri->ri_attrs[i].an_name ); i++) {
                        len += 1 + ri->ri_attrs[i].an_name.bv_len;
@@ -2277,8 +2452,13 @@ replica_unparse( struct slap_replica_info *ri, int i, struct berval *bv )
        bv->bv_len = len;
 
        ptr = lutil_strcopy( bv->bv_val, numbuf );
-       ptr = lutil_strcopy( ptr, "uri=" );
-       ptr = lutil_strcopy( ptr, ri->ri_uri );
+
+       /* start with URI from bindconf */
+       assert( !BER_BVISNULL( &bc ) );
+       if ( bc.bv_val ) {
+               strcpy( ptr, bc.bv_val );
+               ch_free( bc.bv_val );
+       }
 
        if ( ri->ri_nsuffix ) {
                for (i=0; !BER_BVISNULL( &ri->ri_nsuffix[i] ); i++) {
@@ -2288,21 +2468,17 @@ replica_unparse( struct slap_replica_info *ri, int i, struct berval *bv )
                }
        }
        if ( ri->ri_attrs ) {
-               ptr = lutil_strcopy( ptr, "attr" );
+               ptr = lutil_strcopy( ptr, " attrs" );
                if ( ri->ri_exclude ) *ptr++ = '!';
                *ptr++ = '=';
-               ptr = anlist_unparse( ri->ri_attrs, ptr );
-       }
-       if ( bc.bv_val ) {
-               strcpy( ptr, bc.bv_val );
-               ch_free( bc.bv_val );
+               ptr = anlist_unparse( ri->ri_attrs, ptr, 0 );
        }
 }
 
 static int
 config_replica(ConfigArgs *c) {
-       int i, nr = -1, len;
-       char *replicahost, *replicauri;
+       int i, nr = -1;
+       char *replicahost = NULL, *replicauri = NULL;
        LDAPURLDesc *ludp;
 
        if (c->op == SLAP_CONFIG_EMIT) {
@@ -2330,22 +2506,36 @@ config_replica(ConfigArgs *c) {
 
        for(i = 1; i < c->argc; i++) {
                if(!strncasecmp(c->argv[i], "host=", STRLENOF("host="))) {
+                       ber_len_t       len;
+
+                       if ( replicauri ) {
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> replica host/URI already specified", c->argv[0] );
+                               Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n", c->log, c->msg, replicauri );
+                               return(1);
+                       }
+
                        replicahost = c->argv[i] + STRLENOF("host=");
-                       len = strlen( replicahost );
-                       replicauri = ch_malloc( len + STRLENOF("ldap://") + 1 );
-                       sprintf( replicauri, "ldap://%s", replicahost );
+                       len = strlen( replicahost ) + STRLENOF("ldap://");
+                       replicauri = ch_malloc( len + 1 );
+                       snprintf( replicauri, len + 1, "ldap://%s", replicahost );
                        replicahost = replicauri + STRLENOF( "ldap://");
                        nr = add_replica_info(c->be, replicauri, replicahost);
                        break;
                } else if(!strncasecmp(c->argv[i], "uri=", STRLENOF("uri="))) {
+                       if ( replicauri ) {
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> replica host/URI already specified", c->argv[0] );
+                               Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n", c->log, c->msg, replicauri );
+                               return(1);
+                       }
+
                        if(ldap_url_parse(c->argv[i] + STRLENOF("uri="), &ludp) != LDAP_SUCCESS) {
-                               sprintf( c->msg, "<%s> invalid uri", c->argv[0] );
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> invalid uri", c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->msg, 0 );
                                return(1);
                        }
                        if(!ludp->lud_host) {
                                ldap_free_urldesc(ludp);
-                               sprintf( c->msg, "<%s> invalid uri - missing hostname",
+                               snprintf( c->msg, sizeof( c->msg ), "<%s> invalid uri - missing hostname",
                                        c->argv[0] );
                                Debug(LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->msg, 0 );
                                return(1);
@@ -2360,40 +2550,50 @@ config_replica(ConfigArgs *c) {
                }
        }
        if(i == c->argc) {
-               sprintf( c->msg, "<%s> missing host or uri", c->argv[0] );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> missing host or uri", c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->msg, 0 );
                return(1);
        } else if(nr == -1) {
-               sprintf( c->msg, "<%s> unable to add replica", c->argv[0] );
-               Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n", c->log, c->msg, replicauri );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> unable to add replica", c->argv[0] );
+               Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n", c->log, c->msg,
+                       replicauri ? replicauri : "" );
                return(1);
        } else {
                for(i = 1; i < c->argc; i++) {
-                       if(!strncasecmp(c->argv[i], "suffix=", STRLENOF( "suffix="))) {
+                       if(!strncasecmp(c->argv[i], "uri=", STRLENOF("uri="))) {
+                               /* dealt with separately; don't let it get to bindconf */
+                               ;
+
+                       } else if(!strncasecmp(c->argv[i], "suffix=", STRLENOF( "suffix="))) {
                                switch(add_replica_suffix(c->be, nr, c->argv[i] + STRLENOF("suffix="))) {
                                        case 1:
-                                               Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: "
-                                               "suffix \"%s\" in \"replica\" line is not valid for backend"
-                                               SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-                                               c->log, c->argv[i] + STRLENOF("suffix="), 0);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+                                               Debug( LDAP_DEBUG_ANY, "%s: "
+                                                       "suffix \"%s\" in \"replica\" line is not valid for backend.\n",
+                                                       c->log, c->argv[i] + STRLENOF("suffix="), 0);
                                                return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
                                                break;
                                        case 2:
-                                               Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: "
-                                               "unable to normalize suffix in \"replica\" line"
-                                               SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-                                               c->log, 0, 0);
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+                                               Debug( LDAP_DEBUG_ANY, "%s: "
+                                                       "unable to normalize suffix in \"replica\" line.\n",
+                                                       c->log, 0, 0);
                                                return 1;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
                                                break;
                                }
 
-                       } else if(!strncasecmp(c->argv[i], "attr", STRLENOF("attr"))) {
+                       } else if (!strncasecmp(c->argv[i], "attr", STRLENOF("attr"))
+                               || !strncasecmp(c->argv[i], "attrs", STRLENOF("attrs")))
+                       {
                                int exclude = 0;
                                char *arg = c->argv[i] + STRLENOF("attr");
+                               if (arg[0] == 's') {
+                                       arg++;
+                               } else {
+                                       Debug( LDAP_DEBUG_ANY,
+                                               "%s: \"attr\" "
+                                               "is deprecated (and undocumented); "
+                                               "use \"attrs\" instead.\n",
+                                               c->log, 0, 0 );
+                               }
                                if(arg[0] == '!') {
                                        arg++;
                                        exclude = 1;
@@ -2402,7 +2602,7 @@ config_replica(ConfigArgs *c) {
                                        continue;
                                }
                                if(add_replica_attrs(c->be, nr, arg + 1, exclude)) {
-                                       sprintf( c->msg, "<%s> unknown attribute", c->argv[0] );
+                                       snprintf( c->msg, sizeof( c->msg ), "<%s> unknown attribute", c->argv[0] );
                                        Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
                                                c->log, c->msg, arg + 1);
                                        return(1);
@@ -2432,7 +2632,7 @@ config_updatedn(ConfigArgs *c) {
                return 0;
        }
        if(SLAP_SHADOW(c->be)) {
-               sprintf( c->msg, "<%s> database already shadowed", c->argv[0] );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> database already shadowed", c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s\n",
                        c->log, c->msg, 0);
                return(1);
@@ -2446,8 +2646,32 @@ config_updatedn(ConfigArgs *c) {
        BER_BVZERO( &c->value_dn );
        BER_BVZERO( &c->value_ndn );
 
-       SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | SLAP_DBFLAG_SLURP_SHADOW);
-       return(0);
+       return config_slurp_shadow( c );
+}
+
+int
+config_shadow( ConfigArgs *c, int flag )
+{
+       char    *notallowed = NULL;
+
+       if ( c->be == frontendDB ) {
+               notallowed = "frontend";
+
+       } else if ( SLAP_MONITOR(c->be) ) {
+               notallowed = "monitor";
+
+       } else if ( SLAP_CONFIG(c->be) ) {
+               notallowed = "config";
+       }
+
+       if ( notallowed != NULL ) {
+               Debug( LDAP_DEBUG_ANY, "%s: %s database cannot be shadow.\n", c->log, notallowed, 0 );
+               return 1;
+       }
+
+       SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | flag);
+
+       return 0;
 }
 
 static int
@@ -2473,7 +2697,7 @@ config_updateref(ConfigArgs *c) {
                return 0;
        }
        if(!SLAP_SHADOW(c->be)) {
-               sprintf( c->msg, "<%s> must appear after syncrepl or updatedn",
+               snprintf( c->msg, sizeof( c->msg ), "<%s> must appear after syncrepl or updatedn",
                        c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s\n",
                        c->log, c->msg, 0);
@@ -2481,7 +2705,7 @@ config_updateref(ConfigArgs *c) {
        }
 
        if(validate_global_referral(c->argv[1])) {
-               sprintf( c->msg, "<%s> invalid URL", c->argv[0] );
+               snprintf( c->msg, sizeof( c->msg ), "<%s> invalid URL", c->argv[0] );
                Debug(LDAP_DEBUG_ANY, "%s: %s (%s)\n",
                        c->log, c->msg, c->argv[1]);
                return(1);
@@ -2545,6 +2769,7 @@ config_tls_option(ConfigArgs *c) {
        default:                Debug(LDAP_DEBUG_ANY, "%s: "
                                        "unknown tls_option <0x%x>\n",
                                        c->log, c->type, 0);
+               return 1;
        }
        if (c->op == SLAP_CONFIG_EMIT) {
                return ldap_pvt_tls_get_option( NULL, flag, &c->value_string );
@@ -2579,6 +2804,7 @@ config_tls_config(ConfigArgs *c) {
                Debug(LDAP_DEBUG_ANY, "%s: "
                                "unknown tls_option <0x%x>\n",
                                c->log, c->type, 0);
+               return 1;
        }
        if (c->op == SLAP_CONFIG_EMIT) {
                ldap_pvt_tls_get_option( NULL, flag, &c->value_int );
@@ -2594,8 +2820,13 @@ config_tls_config(ConfigArgs *c) {
                return ldap_pvt_tls_set_option( NULL, flag, &i );
        }
        ch_free( c->value_string );
-       if(isdigit((unsigned char)c->argv[1][0])) {
-               i = atoi(c->argv[1]);
+       if ( isdigit( (unsigned char)c->argv[1][0] ) ) {
+               if ( lutil_atoi( &i, c->argv[1] ) != 0 ) {
+                       Debug(LDAP_DEBUG_ANY, "%s: "
+                               "unable to parse %s \"%s\"\n",
+                               c->log, c->argv[0], c->argv[1] );
+                       return 1;
+               }
                return(ldap_pvt_tls_set_option(NULL, flag, &i));
        } else {
                return(ldap_int_tls_config(NULL, flag, c->argv[1]));
@@ -2693,15 +2924,17 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) {
        if ( !cfb->cb_db.bd_info )
                return 0;       /* FIXME: eventually this will be a fatal error */
 
-       if ( cfb->cb_db.bd_info->bi_db_init( &cfb->cb_db )) return 1;
-
-       /* Mark that back-ldif type is in use */
-       cfb->cb_db.bd_info->bi_nDB++;
+       if ( backend_db_init( "ldif", &cfb->cb_db ) == NULL )
+               return 1;
 
        cfb->cb_db.be_suffix = be->be_suffix;
        cfb->cb_db.be_nsuffix = be->be_nsuffix;
-       cfb->cb_db.be_rootdn = be->be_rootdn;
-       cfb->cb_db.be_rootndn = be->be_rootndn;
+
+       /* The suffix is always "cn=config". The underlying DB's rootdn
+        * is always the same as the suffix.
+        */
+       cfb->cb_db.be_rootdn = be->be_suffix[0];
+       cfb->cb_db.be_rootndn = be->be_nsuffix[0];
 
        ber_str2bv( dir, 0, 1, &cfdir );
 
@@ -2737,8 +2970,8 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) {
                op->ors_filterstr = filterstr;
                op->ors_scope = LDAP_SCOPE_SUBTREE;
 
-               op->o_dn = be->be_rootdn;
-               op->o_ndn = be->be_rootndn;
+               op->o_dn = c.be->be_rootdn;
+               op->o_ndn = c.be->be_rootndn;
 
                op->o_req_dn = be->be_suffix[0];
                op->o_req_ndn = be->be_nsuffix[0];
@@ -2760,7 +2993,9 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) {
                ldap_pvt_thread_pool_context_reset( thrctx );
        }
 
-       cfb->cb_use_ldif = 1;
+       /* ITS#4194 - only use if it's present, or we're converting. */
+       if ( !readit || rc == LDAP_SUCCESS )
+               cfb->cb_use_ldif = 1;
 
        return rc;
 }
@@ -2803,7 +3038,7 @@ read_config(const char *fname, const char *dir) {
        int rc;
 
        /* Setup the config backend */
-       be = backend_db_init( "config" );
+       be = backend_db_init( "config", NULL );
        if ( !be )
                return 1;
 
@@ -2828,9 +3063,16 @@ read_config(const char *fname, const char *dir) {
                /* if fname is defaulted, try reading .d */
                rc = config_setup_ldif( be, cfdir, !fname );
 
-               /* It's OK if the base object doesn't exist yet */
-               if ( rc && rc != LDAP_NO_SUCH_OBJECT )
-                       return 1;
+               if ( rc ) {
+                       /* It may be OK if the base object doesn't exist yet. */
+                       if ( rc != LDAP_NO_SUCH_OBJECT )
+                               return 1;
+                       /* ITS#4194: But if dir was specified and no fname,
+                        * then we were supposed to read the dir.
+                        */
+                       if ( dir && !fname )
+                               return 1;
+               }
 
                /* If we read the config from back-ldif, nothing to do here */
                if ( cfb->cb_got_ldif ) {
@@ -2908,6 +3150,7 @@ config_send( Operation *op, SlapReply *rs, CfEntryInfo *ce, int depth )
        {
                rs->sr_attrs = op->ors_attrs;
                rs->sr_entry = ce->ce_entry;
+               rs->sr_flags = 0;
                rc = send_search_entry( op, rs );
        }
        if ( op->ors_scope == LDAP_SCOPE_SUBTREE ) {
@@ -3019,7 +3262,7 @@ check_vals( ConfigTable *ct, ConfigArgs *ca, void *ptr, int isAttr )
                sort = 1;
                rc = ordered_value_sort( a, 1 );
                if ( rc ) {
-                       sprintf(ca->msg, "ordered_value_sort failed on attr %s\n",
+                       snprintf(ca->msg, sizeof( ca->msg ), "ordered_value_sort failed on attr %s\n",
                                ad->ad_cname.bv_val );
                        return rc;
                }
@@ -3045,7 +3288,7 @@ check_name_index( CfEntryInfo *parent, ConfigType ce_type, Entry *e,
        CfEntryInfo *ce;
        int index = -1, gotindex = 0, nsibs;
        int renumber = 0, tailindex = 0;
-       char *ptr1, *ptr2;
+       char *ptr1, *ptr2 = NULL;
        struct berval rdn;
 
        if ( renum ) *renum = 0;
@@ -3059,15 +3302,19 @@ check_name_index( CfEntryInfo *parent, ConfigType ce_type, Entry *e,
 
        /* See if the rdn has an index already */
        dnRdn( &e->e_name, &rdn );
-       ptr1 = strchr( e->e_name.bv_val, '{' );
+       ptr1 = ber_bvchr( &e->e_name, '{' );
        if ( ptr1 && ptr1 - e->e_name.bv_val < rdn.bv_len ) {
+               char    *next;
                ptr2 = strchr( ptr1, '}' );
                if (!ptr2 || ptr2 - e->e_name.bv_val > rdn.bv_len)
                        return LDAP_NAMING_VIOLATION;
                if ( ptr2-ptr1 == 1)
                        return LDAP_NAMING_VIOLATION;
                gotindex = 1;
-               index = atoi(ptr1+1);
+               index = strtol( ptr1 + 1, &next, 10 );
+               if ( next == ptr1 + 1 || next[ 0 ] != '}' ) {
+                       return LDAP_NAMING_VIOLATION;
+               }
                if ( index < 0 ) {
                        /* Special case, we allow -1 for the frontendDB */
                        if ( index != -1 || ce_type != Cft_Database ||
@@ -3109,7 +3356,10 @@ check_name_index( CfEntryInfo *parent, ConfigType ce_type, Entry *e,
                        if (!a ) return LDAP_NAMING_VIOLATION;
 
                        ival.bv_val = ibuf;
-                       ival.bv_len = sprintf( ibuf, SLAP_X_ORDERED_FMT, nsibs );
+                       ival.bv_len = snprintf( ibuf, sizeof( ibuf ), SLAP_X_ORDERED_FMT, nsibs );
+                       if ( ival.bv_len >= sizeof( ibuf ) ) {
+                               return LDAP_NAMING_VIOLATION;
+                       }
                        
                        newrdn.bv_len = rdn.bv_len + ival.bv_len;
                        newrdn.bv_val = ch_malloc( newrdn.bv_len+1 );
@@ -3361,9 +3611,19 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, i
         * These entries can have auto-assigned indexes (appended to the end)
         * but only the other types support auto-renumbering of siblings.
         */
-       rc = check_name_index( last, colst[0]->co_type, e, rs, renum );
-       if ( rc )
-               goto done;
+       {
+               int renumber = renum ? *renum : 0;
+               rc = check_name_index( last, colst[0]->co_type, e, rs, renum );
+               if ( rc ) {
+                       goto done;
+               }
+               if ( renum && *renum && renumber == -1 ) {
+                       snprintf( ca->msg, sizeof( ca->msg ),
+                               "operation requires sibling renumbering" );
+                       rc = LDAP_UNWILLING_TO_PERFORM;
+                       goto done;
+               }
+       }
 
        init_config_argv( ca );
 
@@ -3412,7 +3672,7 @@ ok:
                        }
                }
                if ( rc ) {
-                       sprintf( ca->msg, "<%s> failed startup", ca->argv[0] );
+                       snprintf( ca->msg, sizeof( ca->msg ), "<%s> failed startup", ca->argv[0] );
                        Debug(LDAP_DEBUG_ANY, "%s: %s (%s)!\n",
                                ca->log, ca->msg, ca->argv[1] );
                        rc = LDAP_OTHER;
@@ -3481,30 +3741,44 @@ config_back_add( Operation *op, SlapReply *rs )
         * 4) store entry in underlying database
         * 5) perform any necessary renumbering
         */
+       /* NOTE: by now we do not accept adds that require renumbering */
+       renumber = -1;
        rs->sr_err = config_add_internal( cfb, op->ora_e, &ca, rs, &renumber );
        if ( rs->sr_err != LDAP_SUCCESS ) {
                rs->sr_text = ca.msg;
-       } else if ( cfb->cb_use_ldif ) {
+               goto out2;
+       }
+
+       if ( cfb->cb_use_ldif ) {
                BackendDB *be = op->o_bd;
                slap_callback sc = { NULL, slap_null_cb, NULL, NULL };
+               struct berval dn, ndn;
+
                op->o_bd = &cfb->cb_db;
-               /* FIXME: there must be a better way. */
-               if ( ber_bvcmp( &op->o_bd->be_rootndn, &be->be_rootndn )) {
-                       op->o_bd->be_rootdn = be->be_rootdn;
-                       op->o_bd->be_rootndn= be->be_rootndn;
-               }
+
+               /* Save current rootdn; use the underlying DB's rootdn */
+               dn = op->o_dn;
+               ndn = op->o_ndn;
+               op->o_dn = op->o_bd->be_rootdn;
+               op->o_ndn = op->o_bd->be_rootndn;
+
                sc.sc_next = op->o_callback;
                op->o_callback = &sc;
                op->o_bd->be_add( op, rs );
                op->o_bd = be;
                op->o_callback = sc.sc_next;
+               op->o_dn = dn;
+               op->o_ndn = ndn;
        }
+
        if ( renumber ) {
+               /* TODO */
        }
 
+out2:;
        ldap_pvt_thread_pool_resume( &connection_pool );
 
-out:
+out:;
        send_ldap_result( op, rs );
        return rs->sr_err;
 }
@@ -3541,6 +3815,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
        ca->bi = ce->ce_bi;
        ca->private = ce->ce_private;
        ca->ca_entry = e;
+       ca->fname = "slapd";
        strcpy( ca->log, "back-config" );
 
        for (ml = op->orm_modlist; ml; ml=ml->sml_next) {
@@ -3548,7 +3823,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
                switch (ml->sml_op) {
                case LDAP_MOD_DELETE:
                case LDAP_MOD_REPLACE: {
-                       BerVarray vals = NULL, nvals;
+                       BerVarray vals = NULL, nvals = NULL;
                        int *idx = NULL;
                        if ( ct && ( ct->arg_type & ARG_NO_DELETE )) {
                                rc = LDAP_OTHER;
@@ -3606,9 +3881,13 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
                                }
                                for ( i=0; !BER_BVISNULL( &ml->sml_values[i] ); i++ ) {
                                        if ( ml->sml_values[i].bv_val[0] == '{' &&
-                                               navals >= 0 ) {
-                                               int j = strtol( ml->sml_values[i].bv_val+1, NULL, 0 );
-                                               if ( j < navals ) {
+                                               navals >= 0 )
+                                       {
+                                               char    *next, *val = ml->sml_values[i].bv_val + 1;
+                                               int     j;
+
+                                               j = strtol( val, &next, 0 );
+                                               if ( next == val || next[ 0 ] != '}' || j < navals ) {
                                                        rc = LDAP_OTHER;
                                                        snprintf(ca->msg, sizeof(ca->msg), "cannot insert %s",
                                                                ml->sml_desc->ad_cname.bv_val );
@@ -3659,9 +3938,9 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
                        switch (ml->sml_op) {
                        case LDAP_MOD_DELETE:
                        case LDAP_MOD_REPLACE: {
-                               BerVarray vals = NULL, nvals;
+                               BerVarray vals = NULL, nvals = NULL;
                                Attribute *a;
-                               delrec *d;
+                               delrec *d = NULL;
 
                                a = attr_find( e->e_attrs, ml->sml_desc );
 
@@ -3726,10 +4005,17 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
                                        ca->line = ml->sml_values[i].bv_val;
                                        ca->valx = -1;
                                        if ( ml->sml_desc->ad_type->sat_flags & SLAP_AT_ORDERED &&
-                                               ca->line[0] == '{' ) {
-                                               ptr = strchr( ca->line, '}' );
+                                               ca->line[0] == '{' )
+                                       {
+                                               ptr = strchr( ca->line + 1, '}' );
                                                if ( ptr ) {
-                                                       ca->valx = strtol( ca->line+1, NULL, 0 );
+                                                       char    *next;
+
+                                                       ca->valx = strtol( ca->line + 1, &next, 0 );
+                                                       if ( next == ca->line + 1 || next[ 0 ] != '}' ) {
+                                                               rc = LDAP_OTHER;
+                                                               goto out;
+                                                       }
                                                        ca->line = ptr+1;
                                                }
                                        }
@@ -3816,16 +4102,22 @@ config_back_modify( Operation *op, SlapReply *rs )
        } else if ( cfb->cb_use_ldif ) {
                BackendDB *be = op->o_bd;
                slap_callback sc = { NULL, slap_null_cb, NULL, NULL };
+               struct berval dn, ndn;
+
                op->o_bd = &cfb->cb_db;
-               if ( ber_bvcmp( &op->o_bd->be_rootndn, &be->be_rootndn )) {
-                       op->o_bd->be_rootdn = be->be_rootdn;
-                       op->o_bd->be_rootndn= be->be_rootndn;
-               }
+
+               dn = op->o_dn;
+               ndn = op->o_ndn;
+               op->o_dn = op->o_bd->be_rootdn;
+               op->o_ndn = op->o_bd->be_rootndn;
+
                sc.sc_next = op->o_callback;
                op->o_callback = &sc;
                op->o_bd->be_modify( op, rs );
                op->o_bd = be;
                op->o_callback = sc.sc_next;
+               op->o_dn = dn;
+               op->o_ndn = ndn;
        }
 
        ldap_pvt_thread_pool_resume( &connection_pool );
@@ -3864,6 +4156,9 @@ config_back_modrdn( Operation *op, SlapReply *rs )
        }
        ldap_pvt_thread_pool_pause( &connection_pool );
 
+       rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+       rs->sr_text = "renaming not implemented yet within naming context";
+
        ldap_pvt_thread_pool_resume( &connection_pool );
 out:
        send_ldap_result( op, rs );
@@ -3922,7 +4217,9 @@ config_build_attrs( Entry *e, AttributeType **at, AttributeDescription *ad,
                for (i=0;ct[i].name;i++) {
                        if (ct[i].ad == (*at)->sat_ad) {
                                rc = config_get_vals(&ct[i], c);
-                               if (rc == LDAP_SUCCESS) {
+                               /* NOTE: tolerate that config_get_vals()
+                                * returns success with no values */
+                               if (rc == LDAP_SUCCESS && c->rvalue_vals != NULL ) {
                                        if ( c->rvalue_nvals )
                                                attr_merge(e, ct[i].ad, c->rvalue_vals,
                                                        c->rvalue_nvals);
@@ -4045,7 +4342,11 @@ config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent,
                ptr = strchr( bv.bv_val, '.' );
                if ( ptr )
                        bv.bv_len = ptr - bv.bv_val;
-               c->value_dn.bv_len = sprintf(c->value_dn.bv_val, "cn=" SLAP_X_ORDERED_FMT, c->depth);
+               c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=" SLAP_X_ORDERED_FMT, c->depth);
+               if ( c->value_dn.bv_len >= sizeof( c->log ) ) {
+                       /* FIXME: how can indicate error? */
+                       return;
+               }
                strncpy( c->value_dn.bv_val + c->value_dn.bv_len, bv.bv_val,
                        bv.bv_len );
                c->value_dn.bv_len += bv.bv_len;
@@ -4071,7 +4372,11 @@ config_build_includes( ConfigArgs *c, CfEntryInfo *ceparent,
 
        for (i=0; cf; cf=cf->c_sibs, i++) {
                c->value_dn.bv_val = c->log;
-               c->value_dn.bv_len = sprintf(c->value_dn.bv_val, "cn=include" SLAP_X_ORDERED_FMT, i);
+               c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=include" SLAP_X_ORDERED_FMT, i);
+               if ( c->value_dn.bv_len >= sizeof( c->log ) ) {
+                       /* FIXME: how can indicate error? */
+                       return;
+               }
                c->private = cf;
                e = config_build_entry( op, rs, ceparent, c, &c->value_dn,
                        &CFOC_INCLUDE, NULL );
@@ -4095,7 +4400,11 @@ config_build_modules( ConfigArgs *c, CfEntryInfo *ceparent,
                if ( BER_BVISNULL( &mp->mp_path ) && !mp->mp_loads )
                        continue;
                c->value_dn.bv_val = c->log;
-               c->value_dn.bv_len = sprintf(c->value_dn.bv_val, "cn=module" SLAP_X_ORDERED_FMT, i);
+               c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=module" SLAP_X_ORDERED_FMT, i);
+               if ( c->value_dn.bv_len >= sizeof( c->log ) ) {
+                       /* FIXME: how can indicate error? */
+                       return;
+               }
                c->private = mp;
                config_build_entry( op, rs, ceparent, c, &c->value_dn,
                        &CFOC_MODULE, NULL );
@@ -4110,7 +4419,7 @@ config_back_db_open( BackendDB *be )
        struct berval rdn;
        Entry *e, *parent;
        CfEntryInfo *ce, *ceparent;
-       int i;
+       int i, unsupp = 0;
        BackendInfo *bi;
        ConfigArgs c;
        Connection conn = {0};
@@ -4129,12 +4438,11 @@ config_back_db_open( BackendDB *be )
                op = (Operation *) &opbuf;
                connection_fake_init( &conn, op, thrctx );
 
-               op->o_dn = be->be_rootdn;
-               op->o_ndn = be->be_rootndn;
-
                op->o_tag = LDAP_REQ_ADD;
                op->o_callback = &cb;
                op->o_bd = &cfb->cb_db;
+               op->o_dn = op->o_bd->be_rootdn;
+               op->o_ndn = op->o_bd->be_rootndn;
        } else {
                op = NULL;
        }
@@ -4186,11 +4494,24 @@ config_back_db_open( BackendDB *be )
        
        c.line = 0;
        LDAP_STAILQ_FOREACH( bi, &backendInfo, bi_next) {
-               if (!bi->bi_cf_ocs) continue;
+               if (!bi->bi_cf_ocs) {
+                       /* If it only supports the old config mech, complain. */
+                       if ( bi->bi_config ) {
+                               Debug( LDAP_DEBUG_ANY,
+                                       "WARNING: No dynamic config support for backend %s.\n",
+                                       bi->bi_type, 0, 0 );
+                               unsupp++;
+                       }
+                       continue;
+               }
                if (!bi->bi_private) continue;
 
                rdn.bv_val = c.log;
-               rdn.bv_len = sprintf(rdn.bv_val, "%s=%s", cfAd_backend->ad_cname.bv_val, bi->bi_type);
+               rdn.bv_len = snprintf(rdn.bv_val, sizeof( c.log ),
+                       "%s=%s", cfAd_backend->ad_cname.bv_val, bi->bi_type);
+               if ( rdn.bv_len >= sizeof( c.log ) ) {
+                       /* FIXME: holler ... */ ;
+               }
                c.bi = bi;
                e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_BACKEND,
                        bi->bi_cf_ocs );
@@ -4209,9 +4530,23 @@ config_back_db_open( BackendDB *be )
                } else {
                        bi = be->bd_info;
                }
+
+               /* If this backend supports the old config mechanism, but not
+                * the new mech, complain.
+                */
+               if ( !be->be_cf_ocs && bi->bi_db_config ) {
+                       Debug( LDAP_DEBUG_ANY,
+                               "WARNING: No dynamic config support for database %s.\n",
+                               bi->bi_type, 0, 0 );
+                       unsupp++;
+               }
                rdn.bv_val = c.log;
-               rdn.bv_len = sprintf(rdn.bv_val, "%s=" SLAP_X_ORDERED_FMT "%s", cfAd_database->ad_cname.bv_val,
+               rdn.bv_len = snprintf(rdn.bv_val, sizeof( c.log ),
+                       "%s=" SLAP_X_ORDERED_FMT "%s", cfAd_database->ad_cname.bv_val,
                        i, bi->bi_type);
+               if ( rdn.bv_len >= sizeof( c.log ) ) {
+                       /* FIXME: holler ... */ ;
+               }
                c.be = be;
                c.bi = bi;
                e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_DATABASE,
@@ -4226,9 +4561,19 @@ config_back_db_open( BackendDB *be )
                        int j;
 
                        for (j=0,on=oi->oi_list; on; j++,on=on->on_next) {
+                               if ( on->on_bi.bi_db_config && !on->on_bi.bi_cf_ocs ) {
+                                       Debug( LDAP_DEBUG_ANY,
+                                               "WARNING: No dynamic config support for overlay %s.\n",
+                                               on->on_bi.bi_type, 0, 0 );
+                                       unsupp++;
+                               }
                                rdn.bv_val = c.log;
-                               rdn.bv_len = sprintf(rdn.bv_val, "%s=" SLAP_X_ORDERED_FMT "%s",
+                               rdn.bv_len = snprintf(rdn.bv_val, sizeof( c.log ),
+                                       "%s=" SLAP_X_ORDERED_FMT "%s",
                                        cfAd_overlay->ad_cname.bv_val, j, on->on_bi.bi_type );
+                               if ( rdn.bv_len >= sizeof( c.log ) ) {
+                                       /* FIXME: holler ... */ ;
+                               }
                                c.be = be;
                                c.bi = &on->on_bi;
                                oe = config_build_entry( op, &rs, ce, &c, &rdn,
@@ -4241,6 +4586,11 @@ config_back_db_open( BackendDB *be )
        if ( thrctx )
                ldap_pvt_thread_pool_context_reset( thrctx );
 
+       if ( unsupp  && cfb->cb_use_ldif ) {
+               Debug( LDAP_DEBUG_ANY, "\nWARNING: The converted cn=config "
+                       "directory is incomplete and may not work.\n\n", 0, 0, 0 );
+       }
+
        return 0;
 }
 
@@ -4469,6 +4819,9 @@ config_back_initialize( BackendInfo *bi )
                NULL
        };
 
+       /* Make sure we don't exceed the bits reserved for userland */
+       config_check_userland( CFG_LAST );
+
        bi->bi_controls = controls;
 
        bi->bi_open = 0;
@@ -4510,9 +4863,6 @@ config_back_initialize( BackendInfo *bi )
        bi->bi_tool_entry_get = config_tool_entry_get;
        bi->bi_tool_entry_put = config_tool_entry_put;
 
-       /* Make sure we don't exceed the bits reserved for userland */
-       assert( ( ( CFG_LAST - 1 ) & ARGS_USERLAND ) == ( CFG_LAST - 1 ) );
-
        argv[3] = NULL;
        for (i=0; OidMacros[i].name; i++ ) {
                argv[1] = OidMacros[i].name;
Cloned from git://git.openldap.org/openldap.git