Silently restrict index_intlen to 4-255.

[openldap] / servers / slapd / daemon.c

diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index d8284b5dbde4353f2e8002edf0a7899af23e9e33..641e4380424fefb7711fe0965df42458b8d4c547 100644 (file)
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2006 The OpenLDAP Foundation.
+ * Copyright 1998-2007 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42,17 +42,17 @@
 
 #if defined(HAVE_SYS_EPOLL_H) && defined(HAVE_EPOLL)
 # include <sys/epoll.h>
-#endif
+#elif defined(SLAP_X_DEVPOLL) && defined(HAVE_SYS_DEVPOLL_H) && defined(HAVE_DEVPOLL)
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <fcntl.h>
+# include <sys/devpoll.h>
+#endif /* ! epoll && ! /dev/poll */
 
 #ifdef HAVE_TCPD
-# include <tcpd.h>
 int allow_severity = LOG_INFO;
 int deny_severity = LOG_NOTICE;
-
-# define SLAP_STRING_UNKNOWN   STRING_UNKNOWN
-#else /* ! TCP Wrappers */
-# define SLAP_STRING_UNKNOWN   "unknown"
-#endif /* ! TCP Wrappers */
+#endif /* TCP Wrappers */
 
 #ifdef LDAP_PF_LOCAL
 # include <sys/stat.h>
@@ -114,7 +114,14 @@ static struct slap_daemon {
        int                     *sd_index;
        int                     sd_epfd;
        int                     sd_nfds;
-#else /* ! epoll */
+#elif defined(SLAP_X_DEVPOLL) && defined(HAVE_DEVPOLL)
+       /* eXperimental */
+       struct pollfd           *sd_pollfd;
+       int                     *sd_index;
+       Listener                **sd_l;
+       int                     sd_dpfd;
+       int                     sd_nfds;
+#else /* ! epoll && ! /dev/poll */
 #ifndef HAVE_WINSOCK
        /* In winsock, accept() returns values higher than dtblsize
                so don't bother with this optimization */
@@ -123,7 +130,7 @@ static struct slap_daemon {
        fd_set                  sd_actives;
        fd_set                  sd_readers;
        fd_set                  sd_writers;
-#endif /* ! epoll */
+#endif /* ! epoll && ! /dev/poll */
 } slap_daemon;
 
 /*
@@ -133,7 +140,7 @@ static struct slap_daemon {
  *   with file descriptors and events respectively
  *
  * - SLAP_<type>_* for private interface; type by now is one of
- *   EPOLL, SELECT
+ *   EPOLL, DEVPOLL, SELECT
  *
  * private interface should not be used in the code.
  */
@@ -175,14 +182,12 @@ static struct slap_daemon {
 # define SLAP_SOCK_CLR_READ(s)         SLAP_EPOLL_SOCK_CLR((s), EPOLLIN)
 # define SLAP_SOCK_CLR_WRITE(s)                SLAP_EPOLL_SOCK_CLR((s), EPOLLOUT)
 
-# ifdef SLAP_LIGHTWEIGHT_DISPATCHER
 #  define SLAP_SOCK_SET_SUSPEND(s) \
        ( slap_daemon.sd_suspend[SLAP_EPOLL_SOCK_IX(s)] = 1 )
 #  define SLAP_SOCK_CLR_SUSPEND(s) \
        ( slap_daemon.sd_suspend[SLAP_EPOLL_SOCK_IX(s)] = 0 )
 #  define SLAP_SOCK_IS_SUSPEND(s) \
        ( slap_daemon.sd_suspend[SLAP_EPOLL_SOCK_IX(s)] == 1 )
-# endif /* SLAP_LIGHTWEIGHT_DISPATCHER */
 
 # define SLAP_EPOLL_EVENT_CLR(i, mode) (revents[(i)].events &= ~(mode))
 
@@ -215,7 +220,8 @@ static struct slap_daemon {
        (int *)(ptr) <= &slap_daemon.sd_index[dtblsize]) ? 0 : 1 )
 
 # define SLAP_EPOLL_EV_PTRFD(ptr)              (SLAP_EPOLL_EV_LISTENER(ptr) ? \
-       ((Listener *)ptr)->sl_sd : (int *)(ptr) - slap_daemon.sd_index)
+       ((Listener *)ptr)->sl_sd : \
+       (ber_socket_t) ((int *)(ptr) - slap_daemon.sd_index))
 
 # define SLAP_SOCK_DEL(s)              do { \
        int fd, rc, index = SLAP_EPOLL_SOCK_IX((s)); \
@@ -271,7 +277,186 @@ static struct slap_daemon {
                dtblsize, (tvp) ? (tvp)->tv_sec * 1000 : -1 ); \
 } while (0)
 
-#else /* ! epoll */
+#elif defined(SLAP_X_DEVPOLL) && defined(HAVE_DEVPOLL)
+
+/*************************************************************
+ * Use Solaris' (>= 2.7) /dev/poll infrastructure - poll(7d) *
+ *************************************************************/
+# define SLAP_EVENT_FNAME              "/dev/poll"
+# define SLAP_EVENTS_ARE_INDEXED       0
+/*
+ * - sd_index  is used much like with epoll()
+ * - sd_l      is maintained as an array containing the address
+ *             of the listener; the index is the fd itself
+ * - sd_pollfd is used to keep track of what data has been
+ *             registered in /dev/poll
+ */
+# define SLAP_DEVPOLL_SOCK_IX(s)       (slap_daemon.sd_index[(s)])
+# define SLAP_DEVPOLL_SOCK_LX(s)       (slap_daemon.sd_l[(s)])
+# define SLAP_DEVPOLL_SOCK_EP(s)       (slap_daemon.sd_pollfd[SLAP_DEVPOLL_SOCK_IX((s))])
+# define SLAP_DEVPOLL_SOCK_FD(s)       (SLAP_DEVPOLL_SOCK_EP((s)).fd)
+# define SLAP_DEVPOLL_SOCK_EV(s)       (SLAP_DEVPOLL_SOCK_EP((s)).events)
+# define SLAP_SOCK_IS_ACTIVE(s)                (SLAP_DEVPOLL_SOCK_IX((s)) != -1)
+# define SLAP_SOCK_NOT_ACTIVE(s)       (SLAP_DEVPOLL_SOCK_IX((s)) == -1)
+# define SLAP_SOCK_IS_SET(s, mode)     (SLAP_DEVPOLL_SOCK_EV((s)) & (mode))
+
+# define SLAP_SOCK_IS_READ(s)          SLAP_SOCK_IS_SET((s), POLLIN)
+# define SLAP_SOCK_IS_WRITE(s)         SLAP_SOCK_IS_SET((s), POLLOUT)
+
+/* as far as I understand, any time we need to communicate with the kernel
+ * about the number and/or properties of a file descriptor we need it to
+ * wait for, we have to rewrite the whole set */
+# define SLAP_DEVPOLL_WRITE_POLLFD(s, pfd, n, what, shdn)      do { \
+       int rc; \
+       size_t size = (n) * sizeof( struct pollfd ); \
+       /* FIXME: use pwrite? */ \
+       rc = write( slap_daemon.sd_dpfd, (pfd), size ); \
+       if ( rc != size ) { \
+               Debug( LDAP_DEBUG_ANY, "daemon: " SLAP_EVENT_FNAME ": " \
+                       "%s fd=%d failed errno=%d\n", \
+                       (what), (s), errno ); \
+               if ( (shdn) ) { \
+                       slapd_shutdown = 2; \
+               } \
+       } \
+} while (0)
+
+# define SLAP_DEVPOLL_SOCK_SET(s, mode)        do { \
+       Debug( LDAP_DEBUG_CONNS, "SLAP_SOCK_SET_%s(%d)=%d\n", \
+               (mode) == POLLIN ? "READ" : "WRITE", (s), \
+               ( (SLAP_DEVPOLL_SOCK_EV((s)) & (mode)) != (mode) ) ); \
+       if ( (SLAP_DEVPOLL_SOCK_EV((s)) & (mode)) != (mode) ) { \
+               struct pollfd pfd; \
+               SLAP_DEVPOLL_SOCK_EV((s)) |= (mode); \
+               pfd.fd = SLAP_DEVPOLL_SOCK_FD((s)); \
+               pfd.events = /* (mode) */ SLAP_DEVPOLL_SOCK_EV((s)); \
+               SLAP_DEVPOLL_WRITE_POLLFD((s), &pfd, 1, "SET", 0); \
+       } \
+} while (0)
+
+# define SLAP_DEVPOLL_SOCK_CLR(s, mode)                do { \
+       Debug( LDAP_DEBUG_CONNS, "SLAP_SOCK_CLR_%s(%d)=%d\n", \
+               (mode) == POLLIN ? "READ" : "WRITE", (s), \
+               ( (SLAP_DEVPOLL_SOCK_EV((s)) & (mode)) == (mode) ) ); \
+       if ((SLAP_DEVPOLL_SOCK_EV((s)) & (mode)) == (mode) ) { \
+               struct pollfd pfd[2]; \
+               SLAP_DEVPOLL_SOCK_EV((s)) &= ~(mode); \
+               pfd[0].fd = SLAP_DEVPOLL_SOCK_FD((s)); \
+               pfd[0].events = POLLREMOVE; \
+               pfd[1] = SLAP_DEVPOLL_SOCK_EP((s)); \
+               SLAP_DEVPOLL_WRITE_POLLFD((s), &pfd[0], 2, "CLR", 0); \
+       } \
+} while (0)
+
+# define SLAP_SOCK_SET_READ(s)         SLAP_DEVPOLL_SOCK_SET(s, POLLIN)
+# define SLAP_SOCK_SET_WRITE(s)                SLAP_DEVPOLL_SOCK_SET(s, POLLOUT)
+
+# define SLAP_SOCK_CLR_READ(s)         SLAP_DEVPOLL_SOCK_CLR((s), POLLIN)
+# define SLAP_SOCK_CLR_WRITE(s)                SLAP_DEVPOLL_SOCK_CLR((s), POLLOUT)
+
+#  define SLAP_SOCK_SET_SUSPEND(s) \
+       ( slap_daemon.sd_suspend[SLAP_DEVPOLL_SOCK_IX((s))] = 1 )
+#  define SLAP_SOCK_CLR_SUSPEND(s) \
+       ( slap_daemon.sd_suspend[SLAP_DEVPOLL_SOCK_IX((s))] = 0 )
+#  define SLAP_SOCK_IS_SUSPEND(s) \
+       ( slap_daemon.sd_suspend[SLAP_DEVPOLL_SOCK_IX((s))] == 1 )
+
+# define SLAP_DEVPOLL_EVENT_CLR(i, mode)       (revents[(i)].events &= ~(mode))
+
+# define SLAP_EVENT_MAX                        slap_daemon.sd_nfds
+
+/* If a Listener address is provided, store that in the sd_l array.
+ * If we can't do this add, the system is out of resources and we 
+ * need to shutdown.
+ */
+# define SLAP_SOCK_ADD(s, l)           do { \
+       Debug( LDAP_DEBUG_CONNS, "SLAP_SOCK_ADD(%d, %p)\n", (s), (l), 0 ); \
+       SLAP_DEVPOLL_SOCK_IX((s)) = slap_daemon.sd_nfds; \
+       SLAP_DEVPOLL_SOCK_LX((s)) = (l); \
+       SLAP_DEVPOLL_SOCK_FD((s)) = (s); \
+       SLAP_DEVPOLL_SOCK_EV((s)) = POLLIN; \
+       SLAP_DEVPOLL_WRITE_POLLFD((s), &SLAP_DEVPOLL_SOCK_EP((s)), 1, "ADD", 1); \
+       slap_daemon.sd_nfds++; \
+} while (0)
+
+# define SLAP_DEVPOLL_EV_LISTENER(ptr) ((ptr) != NULL)
+
+# define SLAP_SOCK_DEL(s)              do { \
+       int fd, index = SLAP_DEVPOLL_SOCK_IX((s)); \
+       Debug( LDAP_DEBUG_CONNS, "SLAP_SOCK_DEL(%d)\n", (s), 0, 0 ); \
+       if ( index < 0 ) break; \
+       if ( index < slap_daemon.sd_nfds - 1 ) { \
+               struct pollfd pfd = slap_daemon.sd_pollfd[index]; \
+               fd = slap_daemon.sd_pollfd[slap_daemon.sd_nfds - 1].fd; \
+               slap_daemon.sd_pollfd[index] = slap_daemon.sd_pollfd[slap_daemon.sd_nfds - 1]; \
+               slap_daemon.sd_pollfd[slap_daemon.sd_nfds - 1] = pfd; \
+               slap_daemon.sd_index[fd] = index; \
+       } \
+       slap_daemon.sd_index[(s)] = -1; \
+       slap_daemon.sd_pollfd[slap_daemon.sd_nfds - 1].events = POLLREMOVE; \
+       SLAP_DEVPOLL_WRITE_POLLFD((s), &slap_daemon.sd_pollfd[slap_daemon.sd_nfds - 1], 1, "DEL", 0); \
+       slap_daemon.sd_pollfd[slap_daemon.sd_nfds - 1].events = 0; \
+       slap_daemon.sd_nfds--; \
+} while (0)
+
+# define SLAP_EVENT_CLR_READ(i)                SLAP_DEVPOLL_EVENT_CLR((i), POLLIN)
+# define SLAP_EVENT_CLR_WRITE(i)       SLAP_DEVPOLL_EVENT_CLR((i), POLLOUT)
+
+# define SLAP_DEVPOLL_EVENT_CHK(i, mode)       (revents[(i)].events & (mode))
+
+# define SLAP_EVENT_FD(i)              (revents[(i)].fd)
+
+# define SLAP_EVENT_IS_READ(i)         SLAP_DEVPOLL_EVENT_CHK((i), POLLIN)
+# define SLAP_EVENT_IS_WRITE(i)                SLAP_DEVPOLL_EVENT_CHK((i), POLLOUT)
+# define SLAP_EVENT_IS_LISTENER(i)     SLAP_DEVPOLL_EV_LISTENER(SLAP_DEVPOLL_SOCK_LX(SLAP_EVENT_FD((i))))
+# define SLAP_EVENT_LISTENER(i)                SLAP_DEVPOLL_SOCK_LX(SLAP_EVENT_FD((i)))
+
+# define SLAP_SOCK_INIT                do { \
+       slap_daemon.sd_pollfd = ch_calloc( 1, \
+               ( sizeof(struct pollfd) * 2 \
+                       + sizeof( int ) \
+                       + sizeof( Listener * ) ) * dtblsize ); \
+       slap_daemon.sd_index = (int *)&slap_daemon.sd_pollfd[ 2 * dtblsize ]; \
+       slap_daemon.sd_l = (Listener **)&slap_daemon.sd_index[ dtblsize ]; \
+       slap_daemon.sd_dpfd = open( SLAP_EVENT_FNAME, O_RDWR ); \
+       if ( slap_daemon.sd_dpfd == -1 ) { \
+               Debug( LDAP_DEBUG_ANY, "daemon: " SLAP_EVENT_FNAME ": " \
+                       "open(\"" SLAP_EVENT_FNAME "\") failed errno=%d\n", \
+                       errno, 0, 0 ); \
+               SLAP_SOCK_DESTROY; \
+               return -1; \
+       } \
+       for ( i = 0; i < dtblsize; i++ ) { \
+               slap_daemon.sd_pollfd[i].fd = -1; \
+               slap_daemon.sd_index[i] = -1; \
+       } \
+} while (0)
+
+# define SLAP_SOCK_DESTROY             do { \
+       if ( slap_daemon.sd_pollfd != NULL ) { \
+               ch_free( slap_daemon.sd_pollfd ); \
+               slap_daemon.sd_pollfd = NULL; \
+               slap_daemon.sd_index = NULL; \
+               slap_daemon.sd_l = NULL; \
+               close( slap_daemon.sd_dpfd ); \
+       } \
+} while ( 0 )
+
+# define SLAP_EVENT_DECL               struct pollfd *revents
+
+# define SLAP_EVENT_INIT               do { \
+       revents = &slap_daemon.sd_pollfd[ dtblsize ]; \
+} while (0)
+
+# define SLAP_EVENT_WAIT(tvp, nsp)     do { \
+       struct dvpoll           sd_dvpoll; \
+       sd_dvpoll.dp_timeout = (tvp) ? (tvp)->tv_sec * 1000 : -1; \
+       sd_dvpoll.dp_nfds = dtblsize; \
+       sd_dvpoll.dp_fds = revents; \
+       *(nsp) = ioctl( slap_daemon.sd_dpfd, DP_POLL, &sd_dvpoll ); \
+} while (0)
+
+#else /* ! epoll && ! /dev/poll */
 
 /**************************************
  * Use select system call - select(2) *
@@ -301,6 +486,7 @@ static struct slap_daemon {
 
 # define SLAP_SOCK_INIT                        do { \
        SLAP_SELECT_CHK_SETSIZE; \
+       FD_ZERO(&slap_daemon.sd_actives); \
        FD_ZERO(&slap_daemon.sd_readers); \
        FD_ZERO(&slap_daemon.sd_writers); \
 } while (0)
@@ -355,11 +541,11 @@ static struct slap_daemon {
 # define SLAP_EVENT_CLR_READ(fd)       FD_CLR((fd), &readfds)
 # define SLAP_EVENT_CLR_WRITE(fd)      FD_CLR((fd), &writefds)
 
-# define SLAP_EVENT_WAIT(tvp, snp)     do { \
+# define SLAP_EVENT_WAIT(tvp, nsp)     do { \
        *(nsp) = select( SLAP_EVENT_MAX, &readfds, \
                nwriters > 0 ? &writefds : NULL, NULL, (tvp) ); \
 } while (0)
-#endif /* ! epoll */
+#endif /* ! epoll && ! /dev/poll */
 
 #ifdef HAVE_SLP
 /*
@@ -389,28 +575,17 @@ slapd_slp_init( const char* urls )
        /* find and expand INADDR_ANY URLs */
        for ( i = 0; slapd_srvurls[i] != NULL; i++ ) {
                if ( strcmp( slapd_srvurls[i], "ldap:///" ) == 0 ) {
-                       char *host = ldap_pvt_get_fqdn( NULL );
-                       if ( host != NULL ) {
-                               slapd_srvurls[i] = (char *) ch_realloc( slapd_srvurls[i],
-                                       strlen( host ) +
-                                       sizeof( LDAP_SRVTYPE_PREFIX ) );
-                               strcpy( lutil_strcopy(slapd_srvurls[i],
-                                       LDAP_SRVTYPE_PREFIX ), host );
-
-                               ch_free( host );
-                       }
-
+                       slapd_srvurls[i] = (char *) ch_realloc( slapd_srvurls[i],
+                               strlen( global_host ) +
+                               sizeof( LDAP_SRVTYPE_PREFIX ) );
+                       strcpy( lutil_strcopy(slapd_srvurls[i],
+                               LDAP_SRVTYPE_PREFIX ), global_host );
                } else if ( strcmp( slapd_srvurls[i], "ldaps:///" ) == 0 ) {
-                       char *host = ldap_pvt_get_fqdn( NULL );
-                       if ( host != NULL ) {
-                               slapd_srvurls[i] = (char *) ch_realloc( slapd_srvurls[i],
-                                       strlen( host ) +
-                                       sizeof( LDAPS_SRVTYPE_PREFIX ) );
-                               strcpy( lutil_strcopy(slapd_srvurls[i],
-                                       LDAPS_SRVTYPE_PREFIX ), host );
-
-                               ch_free( host );
-                       }
+                       slapd_srvurls[i] = (char *) ch_realloc( slapd_srvurls[i],
+                               strlen( global_host ) +
+                               sizeof( LDAPS_SRVTYPE_PREFIX ) );
+                       strcpy( lutil_strcopy(slapd_srvurls[i],
+                               LDAPS_SRVTYPE_PREFIX ), global_host );
                }
        }
 
@@ -520,14 +695,12 @@ slapd_add( ber_socket_t s, int isactive, Listener *sl )
 
        SLAP_SOCK_ADD(s, sl);
 
-       Debug( LDAP_DEBUG_CONNS, "daemon: added %ldr\n",
-               (long) s, 0, 0 );
+       Debug( LDAP_DEBUG_CONNS, "daemon: added %ldr%s listener=%p\n",
+               (long) s, isactive ? " (active)" : "", (void *)sl );
 
        ldap_pvt_thread_mutex_unlock( &slap_daemon.sd_mutex );
 
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
        WAKE_LISTENER(1);
-#endif /* SLAP_LIGHTWEIGHT_DISPATCHER */
 }
 
 /*
@@ -949,9 +1122,7 @@ slap_open_listener(
 
        l.sl_url.bv_val = NULL;
        l.sl_mute = 0;
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
        l.sl_busy = 0;
-#endif /* SLAP_LIGHTWEIGHT_DISPATCHER */
 
 #ifndef HAVE_TLS
        if( ldap_pvt_url_scheme2tls( lud->lud_scheme ) ) {
@@ -1115,21 +1286,44 @@ slap_open_listener(
 #ifdef LDAP_PF_LOCAL
                case AF_LOCAL:
 #ifdef LOCAL_CREDS
-               {
-                       int one = 1;
-                       setsockopt(l.sl_sd, 0, LOCAL_CREDS, &one, sizeof one);
-               }
+                       {
+                               int one = 1;
+                               setsockopt( l.sl_sd, 0, LOCAL_CREDS, &one, sizeof( one ) );
+                       }
 #endif /* LOCAL_CREDS */
-               addrlen = sizeof(struct sockaddr_un);
-               break;
+
+                       addrlen = sizeof( struct sockaddr_un );
+                       break;
 #endif /* LDAP_PF_LOCAL */
                }
 
-               if (bind(l.sl_sd, *sal, addrlen)) {
+#ifdef LDAP_PF_LOCAL
+               /* create socket with all permissions set for those systems
+                * that honor permissions on sockets (e.g. Linux); typically,
+                * only write is required.  To exploit filesystem permissions,
+                * place the socket in a directory and use directory's
+                * permissions.  Need write perms to the directory to 
+                * create/unlink the socket; likely need exec perms to access
+                * the socket (ITS#4709) */
+               {
+                       mode_t old_umask;
+
+                       if ( (*sal)->sa_family == AF_LOCAL ) {
+                               old_umask = umask( 0 );
+                       }
+#endif /* LDAP_PF_LOCAL */
+                       rc = bind( l.sl_sd, *sal, addrlen );
+#ifdef LDAP_PF_LOCAL
+                       if ( (*sal)->sa_family == AF_LOCAL ) {
+                               umask( old_umask );
+                       }
+               }
+#endif /* LDAP_PF_LOCAL */
+               if ( rc ) {
                        err = sock_errno();
                        Debug( LDAP_DEBUG_ANY,
                                "daemon: bind(%ld) failed errno=%d (%s)\n",
-                               (long) l.sl_sd, err, sock_errstr(err) );
+                               (long)l.sl_sd, err, sock_errstr( err ) );
                        tcp_close( l.sl_sd );
                        sal++;
                        continue;
@@ -1171,9 +1365,9 @@ slap_open_listener(
                        inet_ntop( AF_INET6, &((struct sockaddr_in6 *)*sal)->sin6_addr,
                                addr, sizeof addr);
                        port = ntohs( ((struct sockaddr_in6 *)*sal)->sin6_port );
-                       l.sl_name.bv_len = strlen(addr) + sizeof("IP= 65535");
+                       l.sl_name.bv_len = strlen(addr) + sizeof("IP=[]:65535");
                        l.sl_name.bv_val = ber_memalloc( l.sl_name.bv_len );
-                       snprintf( l.sl_name.bv_val, l.sl_name.bv_len, "IP=%s %d", 
+                       snprintf( l.sl_name.bv_val, l.sl_name.bv_len, "IP=[%s]:%d", 
                                addr, port );
                        l.sl_name.bv_len = strlen( l.sl_name.bv_val );
                } break;
@@ -1228,7 +1422,7 @@ slapd_daemon_init( const char *urls )
 
 #ifdef HAVE_SYSCONF
        dtblsize = sysconf( _SC_OPEN_MAX );
-#elif HAVE_GETDTABLESIZE
+#elif defined(HAVE_GETDTABLESIZE)
        dtblsize = getdtablesize();
 #else /* ! HAVE_SYSCONF && ! HAVE_GETDTABLESIZE */
        dtblsize = FD_SETSIZE;
@@ -1365,8 +1559,8 @@ slap_listener(
        Sockaddr                from;
 
        ber_socket_t s;
-       socklen_t len = sizeof(from);
-       long id;
+       ber_socklen_t len = sizeof(from);
+       Connection *c;
        slap_ssf_t ssf = 0;
        struct berval authid = BER_BVNULL;
 #ifdef SLAPD_RLOOKUPS
@@ -1377,11 +1571,20 @@ slap_listener(
        char    *peeraddr = NULL;
 #ifdef LDAP_PF_LOCAL
        char peername[MAXPATHLEN + sizeof("PATH=")];
+#ifdef LDAP_PF_LOCAL_SENDMSG
+       char peerbuf[8];
+       struct berval peerbv = BER_BVNULL;
+#endif
 #elif defined(LDAP_PF_INET6)
-       char peername[sizeof("IP=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 65535")];
+       char peername[sizeof("IP=[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]:65535")];
 #else /* ! LDAP_PF_LOCAL && ! LDAP_PF_INET6 */
        char peername[sizeof("IP=255.255.255.255:65336")];
 #endif /* LDAP_PF_LOCAL */
+       int cflag;
+
+       Debug( LDAP_DEBUG_TRACE,
+               ">>> slap_listener(%s)\n",
+               sl->sl_url.bv_val, 0, 0 );
 
        peername[0] = '\0';
 
@@ -1397,13 +1600,11 @@ slap_listener(
 
        s = accept( sl->sl_sd, (struct sockaddr *) &from, &len );
 
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
        /* Resume the listener FD to allow concurrent-processing of
         * additional incoming connections.
         */
        sl->sl_busy = 0;
        WAKE_LISTENER(1);
-#endif /* SLAP_LIGHTWEIGHT_DISPATCHER */
 
        if ( s == AC_SOCKET_INVALID ) {
                int err = sock_errno();
@@ -1490,9 +1691,12 @@ slap_listener(
                "daemon: listen=%ld, new connection on %ld\n",
                (long) sl->sl_sd, (long) s, 0 );
 
+       cflag = 0;
        switch ( from.sa_addr.sa_family ) {
 #  ifdef LDAP_PF_LOCAL
        case AF_LOCAL:
+               cflag |= CONN_IS_IPC;
+
                /* FIXME: apparently accept doesn't fill
                 * the sun_path sun_path member */
                if ( from.sa_un_addr.sun_path[0] == '\0' ) {
@@ -1507,7 +1711,11 @@ slap_listener(
                        uid_t uid;
                        gid_t gid;
 
-                       if( getpeereid( s, &uid, &gid ) == 0 ) {
+#ifdef LDAP_PF_LOCAL_SENDMSG
+                       peerbv.bv_val = peerbuf;
+                       peerbv.bv_len = sizeof( peerbuf );
+#endif
+                       if( LUTIL_GETPEEREID( s, &uid, &gid, &peerbv ) == 0 ) {
                                authid.bv_val = ch_malloc(
                                        STRLENOF( "gidNumber=4294967295+uidNumber=4294967295,"
                                        "cn=peercred,cn=external,cn=auth" ) + 1 );
@@ -1538,7 +1746,7 @@ slap_listener(
                peeraddr = (char *) inet_ntop( AF_INET6,
                                      &from.sa_in6_addr.sin6_addr,
                                      addr, sizeof addr );
-               sprintf( peername, "IP=%s %d",
+               sprintf( peername, "IP=[%s]:%d",
                         peeraddr != NULL ? peeraddr : SLAP_STRING_UNKNOWN,
                         (unsigned) ntohs( from.sa_in6_addr.sin6_port ) );
        }
@@ -1546,10 +1754,10 @@ slap_listener(
 #  endif /* LDAP_PF_INET6 */
 
        case AF_INET:
-       peeraddr = inet_ntoa( from.sa_in_addr.sin_addr );
-       sprintf( peername, "IP=%s:%d",
-               peeraddr != NULL ? peeraddr : SLAP_STRING_UNKNOWN,
-               (unsigned) ntohs( from.sa_in_addr.sin_port ) );
+               peeraddr = inet_ntoa( from.sa_in_addr.sin_addr );
+               sprintf( peername, "IP=%s:%d",
+                       peeraddr != NULL ? peeraddr : SLAP_STRING_UNKNOWN,
+                       (unsigned) ntohs( from.sa_in_addr.sin_port ) );
                break;
 
        default:
@@ -1599,20 +1807,18 @@ slap_listener(
 #endif /* HAVE_TCPD */
        }
 
-       id = connection_init(s, sl,
-               dnsname != NULL ? dnsname : SLAP_STRING_UNKNOWN,
-               peername,
 #ifdef HAVE_TLS
-               sl->sl_is_tls ? CONN_IS_TLS : 0,
-#else /* ! HAVE_TLS */
-               0,
-#endif /* ! HAVE_TLS */
-               ssf,
-               authid.bv_val ? &authid : NULL );
+       if ( sl->sl_is_tls ) cflag |= CONN_IS_TLS;
+#endif
+       c = connection_init(s, sl,
+               dnsname != NULL ? dnsname : SLAP_STRING_UNKNOWN,
+               peername, cflag, ssf,
+               authid.bv_val ? &authid : NULL
+               LDAP_PF_LOCAL_SENDMSG_ARG(&peerbv));
 
        if( authid.bv_val ) ch_free(authid.bv_val);
 
-       if( id < 0 ) {
+       if( !c ) {
                Debug( LDAP_DEBUG_ANY,
                        "daemon: connection_init(%ld, %s, %s) failed.\n",
                        (long) s, peername, sl->sl_name.bv_val );
@@ -1622,25 +1828,26 @@ slap_listener(
 
        Statslog( LDAP_DEBUG_STATS,
                "conn=%ld fd=%ld ACCEPT from %s (%s)\n",
-               id, (long) s, peername, sl->sl_name.bv_val,
+               c->c_connid, (long) s, peername, sl->sl_name.bv_val,
                0 );
 
        return 0;
 }
 
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
 static void*
 slap_listener_thread(
        void* ctx,
        void* ptr )
 {
-       int rc;
+       int             rc;
+       Listener        *sl = (Listener *)ptr;
 
-       rc = slap_listener( (Listener*)ptr );
+       rc = slap_listener( sl );
 
        if( rc != LDAP_SUCCESS ) {
                Debug( LDAP_DEBUG_ANY,
-                       "listener_thread: failed %d", rc, 0, 0 );
+                       "slap_listener_thread(%s): failed err=%d",
+                       sl->sl_url.bv_val, rc, 0 );
        }
 
        return (void*)NULL;
@@ -1667,7 +1874,6 @@ slap_listener_activate(
        }
        return rc;
 }
-#endif /* SLAP_LIGHTWEIGHT_DISPATCHER */
 
 static void *
 slapd_daemon_task(
@@ -1754,7 +1960,6 @@ slapd_daemon_task(
                        return (void*)-1;
                }
 
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
                /* make the listening socket non-blocking */
                if ( ber_pvt_socket_set_nonblock( slap_listeners[l]->sl_sd, 1 ) < 0 ) {
                        Debug( LDAP_DEBUG_ANY, "slapd_daemon_task: "
@@ -1763,7 +1968,6 @@ slapd_daemon_task(
                        slapd_shutdown = 2;
                        return (void*)-1;
                }
-#endif /* SLAP_LIGHTWEIGHT_DISPATCHER */
 
                slapd_add( slap_listeners[l]->sl_sd, 0, slap_listeners[l] );
        }
@@ -1774,15 +1978,6 @@ slapd_daemon_task(
        }
 #endif /* HAVE_NT_SERVICE_MANAGER */
 
-#ifdef SLAP_SEM_LOAD_CONTROL
-       /*
-        * initialize count and lazyness of a semaphore
-        */
-       (void) ldap_lazy_sem_init(
-               SLAP_MAX_WORKER_THREADS + 4 /* max workers + margin */,
-               4 /* lazyness */ );
-#endif /* SLAP_SEM_LOAD_CONTROL */
-
        /* initialization complete. Here comes the loop. */
 
        while ( !slapd_shutdown ) {
@@ -1852,11 +2047,7 @@ slapd_daemon_task(
 
                        if ( lr->sl_sd == AC_SOCKET_INVALID ) continue;
 
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
                        if ( lr->sl_mute || lr->sl_busy )
-#else /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
-                       if ( lr->sl_mute )
-#endif /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
                        {
                                SLAP_SOCK_CLR_READ( lr->sl_sd );
                        } else {
@@ -1901,8 +2092,14 @@ slapd_daemon_task(
                ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 
                if ( rtask && cat.tv_sec ) {
-                       time_t diff = difftime( cat.tv_sec, now );
-                       if ( diff == 0 ) diff = tdelta;
+                       /* NOTE: diff __should__ always be >= 0,
+                        * AFAI understand; however (ITS#4872),
+                        * time_t might be unsigned in some systems,
+                        * while difftime() returns a double */
+                       double diff = difftime( cat.tv_sec, now );
+                       if ( diff <= 0 ) {
+                               diff = tdelta;
+                       }
                        if ( tvp == NULL || diff < tv.tv_sec ) {
                                tv.tv_sec = diff;
                                tv.tv_usec = 0;
@@ -1925,7 +2122,6 @@ slapd_daemon_task(
                                continue;
                        }
 
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
                        if ( lr->sl_busy ) {
                                Debug( LDAP_DEBUG_CONNS,
                                        "daemon: " SLAP_EVENT_FNAME ": "
@@ -1933,7 +2129,6 @@ slapd_daemon_task(
                                        lr->sl_sd, 0, 0 );
                                continue;
                        }
-#endif /* SLAP_LIGHTWEIGHT_DISPATCHER */
 
                        Debug( LDAP_DEBUG_CONNS,
                                "daemon: " SLAP_EVENT_FNAME ": "
@@ -2016,11 +2211,7 @@ slapd_daemon_task(
                        SLAP_EVENT_CLR_WRITE( slap_listeners[l]->sl_sd );
                        ns--;
 
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
                        rc = slap_listener_activate( slap_listeners[l] );
-#else /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
-                       rc = slap_listener( slap_listeners[l] );
-#endif /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
                }
 
                /* bypass the following tests if no descriptors left */
@@ -2124,11 +2315,7 @@ slapd_daemon_task(
                         * active.
                         */
 
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
                        connection_read_activate( rd );
-#else /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
-                       connection_read( rd );
-#endif /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
                }
 #else  /* !SLAP_EVENTS_ARE_INDEXED */
        /* FIXME */
@@ -2180,11 +2367,7 @@ slapd_daemon_task(
                        int rc = 1, fd;
 
                        if ( SLAP_EVENT_IS_LISTENER( i ) ) {
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
                                rc = slap_listener_activate( SLAP_EVENT_LISTENER( i ) );
-#else /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
-                               rc = slap_listener( SLAP_EVENT_LISTENER( i ) );
-#endif /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
                        }
 
                        /* If we found a regular listener, rc is now zero, and we
@@ -2226,17 +2409,7 @@ slapd_daemon_task(
                                                fd, 0, 0 );
 
                                        SLAP_EVENT_CLR_READ( i );
-#ifdef SLAP_LIGHTWEIGHT_DISPATCHER
                                        connection_read_activate( fd );
-#else /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
-                                       /*
-                                        * NOTE: it is possible that the connection was closed
-                                        * and that the stream is now inactive.
-                                        * connection_read() must valid the stream is still
-                                        * active.
-                                        */
-                                       connection_read( fd );
-#endif /* ! SLAP_LIGHTWEIGHT_DISPATCHER */
                                } else {
                                        Debug( LDAP_DEBUG_CONNS,
                                                "daemon: hangup on %d\n", fd, 0, 0 );
@@ -2298,16 +2471,17 @@ connectionless_init( void )
 
        for ( l = 0; slap_listeners[l] != NULL; l++ ) {
                Listener *lr = slap_listeners[l];
-               long id;
+               Connection *c;
 
                if ( !lr->sl_is_udp ) {
                        continue;
                }
 
-               id = connection_init( lr->sl_sd, lr, "", "",
-                       CONN_IS_UDP, (slap_ssf_t) 0, NULL );
+               c = connection_init( lr->sl_sd, lr, "", "",
+                       CONN_IS_UDP, (slap_ssf_t) 0, NULL
+                       LDAP_PF_LOCAL_SENDMSG_ARG(NULL));
 
-               if ( id < 0 ) {
+               if ( !c ) {
                        Debug( LDAP_DEBUG_TRACE,
                                "connectionless_init: failed on %s (%d)\n",
                                lr->sl_url, lr->sl_sd, 0 );
@@ -2421,7 +2595,7 @@ slap_sig_shutdown( int sig )
         * SIGBREAK is generated when a user logs out.
         */
 
-#if HAVE_NT_SERVICE_MANAGER && SIGBREAK
+#if defined(HAVE_NT_SERVICE_MANAGER) && defined(SIGBREAK)
        if (is_NT_Service && sig == SIGBREAK) {
                /* empty */;
        } else