More for ITS#6815, Unbind and Abandon

[openldap] / servers / slapd / overlays / accesslog.c
diff --git a/servers/slapd/overlays/accesslog.c b/servers/slapd/overlays/accesslog.c

index ef6a46d4a794a89d06172f594a7dc54205fdf196..d01c70d0675211895bf959df2e04dc3c4a4d3184 100644 (file)
--- a/servers/slapd/overlays/accesslog.c
+++ b/servers/slapd/overlays/accesslog.c
@@ -2,7 +2,7 @@
  /* $OpenLDAP$ */
  /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2011 The OpenLDAP Foundation.
   * Portions copyright 2004-2005 Symas Corporation.
   * All rights reserved.
   *
@@ -56,6 +56,13 @@ typedef struct log_attr {
         AttributeDescription *attr;
  } log_attr;
  
+typedef struct log_base {
+       struct log_base *lb_next;
+       slap_mask_t lb_ops;
+       struct berval lb_base;
+       struct berval lb_line;
+} log_base;
+
  typedef struct log_info {
         BackendDB *li_db;
         struct berval li_db_suffix;
@@ -67,6 +74,7 @@ typedef struct log_info {
         Entry *li_old;
         log_attr *li_oldattrs;
         int li_success;
+       log_base *li_bases;
         ldap_pvt_thread_rmutex_t li_op_rmutex;
         ldap_pvt_thread_mutex_t li_log_mutex;
  } log_info;
@@ -79,7 +87,8 @@ enum {
         LOG_PURGE,
         LOG_SUCCESS,
         LOG_OLD,
-       LOG_OLDATTR
+       LOG_OLDATTR,
+       LOG_BASE
  };
  
  static ConfigTable log_cfats[] = {
@@ -110,6 +119,12 @@ static ConfigTable log_cfats[] = {
                         "DESC 'Log old values of these attributes even if unmodified' "
                         "EQUALITY caseIgnoreMatch "
                         "SYNTAX OMsDirectoryString )", NULL, NULL },
+       { "logbase", "op|writes|reads|session|all< <baseDN", 3, 3, 0,
+               ARG_MAGIC|LOG_BASE,
+               log_cf_gen, "( OLcfgOvAt:4.7 NAME 'olcAccessLogBase' "
+                       "DESC 'Operation types to log under a specific branch' "
+                       "EQUALITY caseIgnoreMatch "
+                       "SYNTAX OMsDirectoryString )", NULL, NULL },
         { NULL }
  };
  
@@ -120,7 +135,7 @@ static ConfigOCs log_cfocs[] = {
                 "SUP olcOverlayConfig "
                 "MUST olcAccessLogDB "
                 "MAY ( olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogSuccess $ "
-                       "olcAccessLogOld $ olcAccessLogOldAttr ) )",
+                       "olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase ) )",
                         Cft_Overlay, log_cfats },
         { NULL }
  };
@@ -162,12 +177,14 @@ enum {
         LOG_EN__COUNT
  };
  
-static ObjectClass *log_ocs[LOG_EN__COUNT], *log_container;
+static ObjectClass *log_ocs[LOG_EN__COUNT], *log_container,
+       *log_oc_read, *log_oc_write;
  
  #define LOG_SCHEMA_ROOT        "1.3.6.1.4.1.4203.666.11.5"
  
  #define LOG_SCHEMA_AT LOG_SCHEMA_ROOT ".1"
  #define LOG_SCHEMA_OC LOG_SCHEMA_ROOT ".2"
+#define LOG_SCHEMA_SYN LOG_SCHEMA_ROOT ".3"
  
  static AttributeDescription *ad_reqDN, *ad_reqStart, *ad_reqEnd, *ad_reqType,
         *ad_reqSession, *ad_reqResult, *ad_reqAuthzID, *ad_reqControls,
@@ -178,6 +195,31 @@ static AttributeDescription *ad_reqDN, *ad_reqStart, *ad_reqEnd, *ad_reqType,
         *ad_reqId, *ad_reqMessage, *ad_reqVersion, *ad_reqDerefAliases,
         *ad_reqReferral, *ad_reqOld, *ad_auditContext;
  
+static int
+logSchemaControlValidate(
+       Syntax          *syntax,
+       struct berval   *val );
+
+char   *mrControl[] = {
+       "objectIdentifierFirstComponentMatch",
+       NULL
+};
+
+static struct {
+       char                    *oid;
+       slap_syntax_defs_rec    syn;
+       char                    **mrs;
+} lsyntaxes[] = {
+       { LOG_SCHEMA_SYN ".1" ,
+               { "( " LOG_SCHEMA_SYN ".1 DESC 'Control' )",
+                       SLAP_SYNTAX_HIDE,
+                       NULL,
+                       logSchemaControlValidate,
+                       NULL },
+               mrControl },
+       { NULL }
+};
+
  static struct {
         char *at;
         AttributeDescription **ad;
@@ -231,10 +273,14 @@ static struct {
                 "SUP labeledURI )", &ad_reqReferral },
         { "( " LOG_SCHEMA_AT ".10 NAME 'reqControls' "
                 "DESC 'Request controls' "
-               "SYNTAX OMsOctetString )", &ad_reqControls },
+               "EQUALITY objectIdentifierFirstComponentMatch "
+               "SYNTAX " LOG_SCHEMA_SYN ".1 "
+               "X-ORDERED 'VALUES' )", &ad_reqControls },
         { "( " LOG_SCHEMA_AT ".11 NAME 'reqRespControls' "
                 "DESC 'Response controls of request' "
-               "SYNTAX OMsOctetString )", &ad_reqRespControls },
+               "EQUALITY objectIdentifierFirstComponentMatch "
+               "SYNTAX " LOG_SCHEMA_SYN ".1 "
+               "X-ORDERED 'VALUES' )", &ad_reqRespControls },
         { "( " LOG_SCHEMA_AT ".12 NAME 'reqId' "
                 "DESC 'ID of Request to Abandon' "
                 "EQUALITY integerMatch "
@@ -370,10 +416,10 @@ static struct {
                                 &log_ocs[LOG_EN_UNBIND] },
         { "( " LOG_SCHEMA_OC ".2 NAME 'auditReadObject' "
                 "DESC 'OpenLDAP read request record' "
-               "SUP auditObject STRUCTURAL )", NULL },
+               "SUP auditObject STRUCTURAL )", &log_oc_read },
         { "( " LOG_SCHEMA_OC ".3 NAME 'auditWriteObject' "
                 "DESC 'OpenLDAP write request record' "
-               "SUP auditObject STRUCTURAL )", NULL },
+               "SUP auditObject STRUCTURAL )", &log_oc_write },
         { "( " LOG_SCHEMA_OC ".4 NAME 'auditAbandon' "
                 "DESC 'Abandon operation' "
                 "SUP auditObject STRUCTURAL "
@@ -484,11 +530,13 @@ log_age_parse(char *agestr)
  }
  
  static void
-log_age_unparse( int age, struct berval *agebv )
+log_age_unparse( int age, struct berval *agebv, size_t size )
  {
-       int dd, hh, mm, ss;
+       int dd, hh, mm, ss, len;
         char *ptr;
  
+       assert( size > 0 );
+
         ss = age % 60;
         age /= 60;
         mm = age % 60;
@@ -499,11 +547,22 @@ log_age_unparse( int age, struct berval *agebv )
  
         ptr = agebv->bv_val;
  
-       if ( dd ) 
-               ptr += sprintf( ptr, "%d+", dd );
-       ptr += sprintf( ptr, "%02d:%02d", hh, mm );
-       if ( ss )
-               ptr += sprintf( ptr, ":%02d", ss );
+       if ( dd ) {
+               len = snprintf( ptr, size, "%d+", dd );
+               assert( len >= 0 && (unsigned) len < size );
+               size -= len;
+               ptr += len;
+       }
+       len = snprintf( ptr, size, "%02d:%02d", hh, mm );
+       assert( len >= 0 && (unsigned) len < size );
+       size -= len;
+       ptr += len;
+       if ( ss ) {
+               len = snprintf( ptr, size, ":%02d", ss );
+               assert( len >= 0 && (unsigned) len < size );
+               size -= len;
+               ptr += len;
+       }
  
         agebv->bv_len = ptr - agebv->bv_val;
  }
@@ -524,20 +583,24 @@ static int
  log_old_lookup( Operation *op, SlapReply *rs )
  {
         purge_data *pd = op->o_callback->sc_private;
+       Attribute *a;
  
         if ( rs->sr_type != REP_SEARCH) return 0;
  
         if ( slapd_shutdown ) return 0;
  
-       /* Remember old CSN */
-       if ( pd->csn.bv_val[0] == '\0' ) {
-               Attribute *a = attr_find( rs->sr_entry->e_attrs,
-                       slap_schema.si_ad_entryCSN );
-               if ( a ) {
-                       int len = a->a_vals[0].bv_len;
-                       if ( len > pd->csn.bv_len )
-                               len = pd->csn.bv_len;
-                       AC_MEMCPY( pd->csn.bv_val, a->a_vals[0].bv_val, len );
+       /* Remember max CSN: should always be the last entry
+        * seen, since log entries are ordered chronologically...
+        */
+       a = attr_find( rs->sr_entry->e_attrs,
+               slap_schema.si_ad_entryCSN );
+       if ( a ) {
+               ber_len_t len = a->a_nvals[0].bv_len;
+               /* Paranoid len check, normalized CSNs are always the same length */
+               if ( len > LDAP_PVT_CSNSTR_BUFSIZE )
+                       len = LDAP_PVT_CSNSTR_BUFSIZE;
+               if ( memcmp( a->a_nvals[0].bv_val, pd->csn.bv_val, len ) > 0 ) {
+                       AC_MEMCPY( pd->csn.bv_val, a->a_nvals[0].bv_val, len );
                         pd->csn.bv_len = len;
                 }
         }
@@ -565,10 +628,10 @@ accesslog_purge( void *ctx, void *arg )
         SlapReply rs = {REP_RESULT};
         slap_callback cb = { NULL, log_old_lookup, NULL, NULL };
         Filter f;
-       AttributeAssertion ava = {0};
+       AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
         purge_data pd = {0};
         char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
-       char csnbuf[LDAP_LUTIL_CSNSTR_BUFSIZE];
+       char csnbuf[LDAP_PVT_CSNSTR_BUFSIZE];
         time_t old = slap_get_time();
  
         connection_fake_init( &conn, &opbuf, ctx );
@@ -612,20 +675,52 @@ accesslog_purge( void *ctx, void *arg )
         if ( pd.used ) {
                 int i;
  
+               /* delete the expired entries */
                 op->o_tag = LDAP_REQ_DELETE;
                 op->o_callback = &nullsc;
                 op->o_csn = pd.csn;
+               op->o_dont_replicate = 1;
  
                 for (i=0; i<pd.used; i++) {
                         op->o_req_dn = pd.dn[i];
                         op->o_req_ndn = pd.ndn[i];
-                       if ( !slapd_shutdown )
+                       if ( !slapd_shutdown ) {
+                               rs_reinit( &rs, REP_RESULT );
                                 op->o_bd->be_delete( op, &rs );
+                       }
                         ch_free( pd.ndn[i].bv_val );
                         ch_free( pd.dn[i].bv_val );
                 }
                 ch_free( pd.ndn );
                 ch_free( pd.dn );
+
+               {
+                       Modifications mod;
+                       struct berval bv[2];
+                       rs_reinit( &rs, REP_RESULT );
+                       /* update context's entryCSN to reflect oldest CSN */
+                       mod.sml_numvals = 1;
+                       mod.sml_values = bv;
+                       bv[0] = pd.csn;
+                       BER_BVZERO(&bv[1]);
+                       mod.sml_nvalues = NULL;
+                       mod.sml_desc = slap_schema.si_ad_entryCSN;
+                       mod.sml_op = LDAP_MOD_REPLACE;
+                       mod.sml_flags = SLAP_MOD_INTERNAL;
+                       mod.sml_next = NULL;
+
+                       op->o_tag = LDAP_REQ_MODIFY;
+                       op->orm_modlist = &mod;
+                       op->orm_no_opattrs = 1;
+                       op->o_req_dn = li->li_db->be_suffix[0];
+                       op->o_req_ndn = li->li_db->be_nsuffix[0];
+                       op->o_no_schema_check = 1;
+                       op->o_managedsait = SLAP_CONTROL_NONCRITICAL;
+                       op->o_bd->be_modify( op, &rs );
+                       if ( mod.sml_next ) {
+                               slap_mods_free( mod.sml_next, 1 );
+                       }
+               }
         }
  
         ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
@@ -656,10 +751,10 @@ log_cf_gen(ConfigArgs *c)
                                 value_add_one( &c->rvalue_vals, li->li_db->be_suffix );
                                 value_add_one( &c->rvalue_nvals, li->li_db->be_nsuffix );
                         } else {
-                               snprintf( c->msg, sizeof( c->msg ),
+                               snprintf( c->cr_msg, sizeof( c->cr_msg ),
                                         "accesslog: \"logdb <suffix>\" must be specified" );
                                 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
-                                       c->log, c->msg, c->value_dn.bv_val );
+                                       c->log, c->cr_msg, c->value_dn.bv_val );
                                 rc = 1;
                                 break;
                         }
@@ -673,11 +768,11 @@ log_cf_gen(ConfigArgs *c)
                                 break;
                         }
                         agebv.bv_val = agebuf;
-                       log_age_unparse( li->li_age, &agebv );
+                       log_age_unparse( li->li_age, &agebv, sizeof( agebuf ) );
                         agebv.bv_val[agebv.bv_len] = ' ';
                         agebv.bv_len++;
                         cyclebv.bv_val = agebv.bv_val + agebv.bv_len;
-                       log_age_unparse( li->li_cycle, &cyclebv );
+                       log_age_unparse( li->li_cycle, &cyclebv, sizeof( agebuf ) - agebv.bv_len );
                         agebv.bv_len += cyclebv.bv_len;
                         value_add_one( &c->rvalue_vals, &agebv );
                         break;
@@ -705,6 +800,16 @@ log_cf_gen(ConfigArgs *c)
                         else
                                 rc = 1;
                         break;
+               case LOG_BASE:
+                       if ( li->li_bases ) {
+                               log_base *lb;
+
+                               for ( lb = li->li_bases; lb; lb=lb->lb_next )
+                                       value_add_one( &c->rvalue_vals, &lb->lb_line );
+                       }
+                       else
+                               rc = 1;
+                       break;
                 }
                 break;
         case LDAP_MOD_DELETE:
@@ -725,9 +830,11 @@ log_cf_gen(ConfigArgs *c)
                         if ( li->li_task ) {
                                 struct re_s *re = li->li_task;
                                 li->li_task = NULL;
+                               ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
                                 if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ))
                                         ldap_pvt_runqueue_stoptask( &slapd_rq, re );
                                 ldap_pvt_runqueue_remove( &slapd_rq, re );
+                               ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
                         }
                         li->li_age = 0;
                         li->li_cycle = 0;
@@ -761,19 +868,39 @@ log_cf_gen(ConfigArgs *c)
                                 ch_free( la );
                         }
                         break;
+               case LOG_BASE:
+                       if ( c->valx < 0 ) {
+                               log_base *lb, *ln;
+
+                               for ( lb = li->li_bases; lb; lb = ln ) {
+                                       ln = lb->lb_next;
+                                       ch_free( lb );
+                               }
+                       } else {
+                               log_base *lb = NULL, **lp;
+                               int i;
+
+                               for ( lp = &li->li_bases, i=0; i < c->valx; i++ ) {
+                                       lb = *lp;
+                                       lp = &lb->lb_next;
+                               }
+                               *lp = lb->lb_next;
+                               ch_free( lb );
+                       }
+                       break;
                 }
                 break;
         default:
                 switch( c->type ) {
                 case LOG_DB:
                         if ( CONFIG_ONLINE_ADD( c )) {
-                               li->li_db = select_backend( &c->value_ndn, 0, 0 );
+                               li->li_db = select_backend( &c->value_ndn, 0 );
                                 if ( !li->li_db ) {
-                                       snprintf( c->msg, sizeof( c->msg ),
+                                       snprintf( c->cr_msg, sizeof( c->cr_msg ),
                                                 "<%s> no matching backend found for suffix",
                                                 c->argv[0] );
                                         Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
-                                               c->log, c->msg, c->value_dn.bv_val );
+                                               c->log, c->cr_msg, c->value_dn.bv_val );
                                         rc = 1;
                                 }
                                 ch_free( c->value_ndn.bv_val );
@@ -799,12 +926,15 @@ log_cf_gen(ConfigArgs *c)
                                         struct re_s *re = li->li_task;
                                         if ( re )
                                                 re->interval.tv_sec = li->li_cycle;
-                                       else
+                                       else {
+                                               ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
                                                 li->li_task = ldap_pvt_runqueue_insert( &slapd_rq,
                                                         li->li_cycle, accesslog_purge, li,
                                                         "accesslog_purge", li->li_db ?
                                                                 li->li_db->be_suffix[0].bv_val :
                                                                 c->be->be_suffix[0].bv_val );
+                                               ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
+                                       }
                                 }
                         }
                         break;
@@ -814,7 +944,7 @@ log_cf_gen(ConfigArgs *c)
                 case LOG_OLD:
                         li->li_oldf = str2filter( c->argv[1] );
                         if ( !li->li_oldf ) {
-                               sprintf( c->msg, "bad filter!" );
+                               snprintf( c->cr_msg, sizeof( c->cr_msg ), "bad filter!" );
                                 rc = 1;
                         }
                         break;
@@ -831,23 +961,324 @@ log_cf_gen(ConfigArgs *c)
                                         la->next = li->li_oldattrs;
                                         li->li_oldattrs = la;
                                 } else {
-                                       snprintf( c->msg, sizeof( c->msg ), "%s <%s>: %s",
+                                       snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s <%s>: %s",
                                                 c->argv[0], c->argv[i], text );
                                         Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
-                                               "%s: %s\n", c->log, c->msg, 0 );
+                                               "%s: %s\n", c->log, c->cr_msg, 0 );
                                         rc = ARG_BAD_CONF;
                                         break;
                                 }
                         }
                         }
                         break;
+               case LOG_BASE: {
+                       slap_mask_t m = 0;
+                       rc = verbstring_to_mask( logops, c->argv[1], '|', &m );
+                       if ( rc == 0 ) {
+                               struct berval dn, ndn;
+                               ber_str2bv( c->argv[2], 0, 0, &dn );
+                               rc = dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL );
+                               if ( rc == 0 ) {
+                                       log_base *lb;
+                                       struct berval mbv;
+                                       char *ptr;
+                                       mask_to_verbstring( logops, m, '|', &mbv );
+                                       lb = ch_malloc( sizeof( log_base ) + mbv.bv_len + ndn.bv_len + 3 + 1 );
+                                       lb->lb_line.bv_val = (char *)(lb + 1);
+                                       lb->lb_line.bv_len = mbv.bv_len + ndn.bv_len + 3;
+                                       ptr = lutil_strcopy( lb->lb_line.bv_val, mbv.bv_val );
+                                       *ptr++ = ' ';
+                                       *ptr++ = '"';
+                                       lb->lb_base.bv_val = ptr;
+                                       lb->lb_base.bv_len = ndn.bv_len;
+                                       ptr = lutil_strcopy( ptr, ndn.bv_val );
+                                       *ptr++ = '"';
+                                       lb->lb_ops = m;
+                                       lb->lb_next = li->li_bases;
+                                       li->li_bases = lb;
+                               } else {
+                                       snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s invalid DN: %s",
+                                               c->argv[0], c->argv[2] );
+                                       Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+                                               "%s: %s\n", c->log, c->cr_msg, 0 );
+                                       rc = ARG_BAD_CONF;
+                               }
+                       } else {
+                               snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s invalid ops: %s",
+                                       c->argv[0], c->argv[1] );
+                               Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+                                       "%s: %s\n", c->log, c->cr_msg, 0 );
+                               rc = ARG_BAD_CONF;
+                       }
+                       }
+                       break;
                 }
                 break;
         }
         return rc;
  }
  
-static Entry *accesslog_entry( Operation *op, int logop,
+static int
+logSchemaControlValidate(
+       Syntax          *syntax,
+       struct berval   *valp )
+{
+       struct berval   val, bv;
+       ber_len_t               i;
+       int             rc = LDAP_SUCCESS;
+
+       assert( valp != NULL );
+
+       val = *valp;
+
+       /* check minimal size */
+       if ( val.bv_len < STRLENOF( "{*}" ) ) {
+               return LDAP_INVALID_SYNTAX;
+       }
+
+       val.bv_len--;
+
+       /* check SEQUENCE boundaries */
+       if ( val.bv_val[ 0 ] != '{' /*}*/ ||
+               val.bv_val[ val.bv_len ] != /*{*/ '}' )
+       {
+               return LDAP_INVALID_SYNTAX;
+       }
+
+       /* extract and check OID */
+       for ( i = 1; i < val.bv_len; i++ ) {
+               if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
+                       break;
+               }
+       }
+
+       bv.bv_val = &val.bv_val[ i ];
+
+       for ( i++; i < val.bv_len; i++ ) {
+               if ( ASCII_SPACE( val.bv_val[ i ] ) )
+               {
+                       break;
+               }
+       }
+
+       bv.bv_len = &val.bv_val[ i ] - bv.bv_val;
+
+       rc = numericoidValidate( NULL, &bv );
+       if ( rc != LDAP_SUCCESS ) {
+               return rc;
+       }
+
+       if ( i == val.bv_len ) {
+               return LDAP_SUCCESS;
+       }
+
+       if ( val.bv_val[ i ] != ' ' ) {
+               return LDAP_INVALID_SYNTAX;
+       }
+
+       for ( i++; i < val.bv_len; i++ ) {
+               if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
+                       break;
+               }
+       }
+
+       if ( i == val.bv_len ) {
+               return LDAP_SUCCESS;
+       }
+
+       /* extract and check criticality */
+       if ( strncasecmp( &val.bv_val[ i ], "criticality ", STRLENOF( "criticality " ) ) == 0 )
+       {
+               i += STRLENOF( "criticality " );
+               for ( ; i < val.bv_len; i++ ) {
+                       if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
+                               break;
+                       }
+               }
+
+               if ( i == val.bv_len ) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               bv.bv_val = &val.bv_val[ i ];
+
+               for ( ; i < val.bv_len; i++ ) {
+                       if ( ASCII_SPACE( val.bv_val[ i ] ) ) {
+                               break;
+                       }
+               }
+
+               bv.bv_len = &val.bv_val[ i ] - bv.bv_val;
+
+               if ( !bvmatch( &bv, &slap_true_bv ) && !bvmatch( &bv, &slap_false_bv ) ) 
+               {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               if ( i == val.bv_len ) {
+                       return LDAP_SUCCESS;
+               }
+
+               if ( val.bv_val[ i ] != ' ' ) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               for ( i++; i < val.bv_len; i++ ) {
+                       if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
+                               break;
+                       }
+               }
+
+               if ( i == val.bv_len ) {
+                       return LDAP_SUCCESS;
+               }
+       }
+
+       /* extract and check controlValue */
+       if ( strncasecmp( &val.bv_val[ i ], "controlValue ", STRLENOF( "controlValue " ) ) == 0 )
+       {
+               ber_len_t valueStart, valueLen;
+
+               i += STRLENOF( "controlValue " );
+               for ( ; i < val.bv_len; i++ ) {
+                       if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
+                               break;
+                       }
+               }
+
+               if ( i == val.bv_len ) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               if ( val.bv_val[ i ] != '"' ) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               i++;
+               valueStart = i;
+
+               for ( ; i < val.bv_len; i++ ) {
+                       if ( val.bv_val[ i ] == '"' ) {
+                               break;
+                       }
+
+                       if ( !ASCII_HEX( val.bv_val[ i ] ) ) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+               }
+
+               if ( val.bv_val[ i ] != '"' ) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               valueLen = i - valueStart;
+               if ( (valueLen/2)*2 != valueLen ) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               for ( i++; i < val.bv_len; i++ ) {
+                       if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
+                               break;
+                       }
+               }
+
+               if ( i == val.bv_len ) {
+                       return LDAP_SUCCESS;
+               }
+       }
+
+       return LDAP_INVALID_SYNTAX;
+}
+
+static int
+accesslog_ctrls(
+       LDAPControl **ctrls,
+       BerVarray *valsp,
+       BerVarray *nvalsp,
+       void *memctx )
+{
+       long            i, rc = 0;
+
+       assert( valsp != NULL );
+       assert( ctrls != NULL );
+
+       *valsp = NULL;
+       *nvalsp = NULL;
+
+       for ( i = 0; ctrls[ i ] != NULL; i++ ) {
+               struct berval   idx,
+                               oid,
+                               noid,
+                               bv;
+               char            *ptr,
+                               buf[ 32 ];
+
+               if ( ctrls[ i ]->ldctl_oid == NULL ) {
+                       return LDAP_PROTOCOL_ERROR;
+               }
+
+               idx.bv_len = snprintf( buf, sizeof( buf ), "{%ld}", i );
+               idx.bv_val = buf;
+
+               ber_str2bv( ctrls[ i ]->ldctl_oid, 0, 0, &oid );
+               noid.bv_len = idx.bv_len + oid.bv_len;
+               ptr = noid.bv_val = ber_memalloc_x( noid.bv_len + 1, memctx );
+               ptr = lutil_strcopy( ptr, idx.bv_val );
+               ptr = lutil_strcopy( ptr, oid.bv_val );
+
+               bv.bv_len = idx.bv_len + STRLENOF( "{}" ) + oid.bv_len;
+
+               if ( ctrls[ i ]->ldctl_iscritical ) {
+                       bv.bv_len += STRLENOF( " criticality TRUE" );
+               }
+
+               if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) {
+                       bv.bv_len += STRLENOF( " controlValue \"\"" )
+                               + 2 * ctrls[ i ]->ldctl_value.bv_len;
+               }
+
+               ptr = bv.bv_val = ber_memalloc_x( bv.bv_len + 1, memctx );
+               if ( ptr == NULL ) {
+                       ber_bvarray_free( *valsp );
+                       *valsp = NULL;
+                       ber_bvarray_free( *nvalsp );
+                       *nvalsp = NULL;
+                       return LDAP_OTHER;
+               }
+
+               ptr = lutil_strcopy( ptr, idx.bv_val );
+
+               *ptr++ = '{' /*}*/ ;
+               ptr = lutil_strcopy( ptr, oid.bv_val );
+
+               if ( ctrls[ i ]->ldctl_iscritical ) {
+                       ptr = lutil_strcopy( ptr, " criticality TRUE" );
+               }
+               
+               if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) {
+                       ber_len_t       j;
+
+                       ptr = lutil_strcopy( ptr, " controlValue \"" );
+                       for ( j = 0; j < ctrls[ i ]->ldctl_value.bv_len; j++ ) {
+                               *ptr++ = SLAP_ESCAPE_HI(ctrls[ i ]->ldctl_value.bv_val[ j ]);
+                               *ptr++ = SLAP_ESCAPE_LO(ctrls[ i ]->ldctl_value.bv_val[ j ]);
+                       }
+
+                       *ptr++ = '"';
+               }
+
+               *ptr++ = '}';
+               *ptr = '\0';
+
+               ber_bvarray_add_x( valsp, &bv, memctx );
+               ber_bvarray_add_x( nvalsp, &noid, memctx );
+       }
+
+       return rc;
+       
+}
+
+static Entry *accesslog_entry( Operation *op, SlapReply *rs, int logop,
         Operation *op2 ) {
         slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
         log_info *li = on->on_bi.bi_private;
@@ -868,8 +1299,8 @@ static Entry *accesslog_entry( Operation *op, int logop,
         timestamp.bv_val = rdnbuf+STRLENOF(RDNEQ);
         timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
         slap_timestamp( &op->o_time, &timestamp );
-       sprintf( timestamp.bv_val + timestamp.bv_len-1, ".%06dZ", op->o_tincr );
-       timestamp.bv_len += 7;
+       snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op->o_tincr );
+       timestamp.bv_len += STRLENOF(".123456");
  
         rdn.bv_len = STRLENOF(RDNEQ)+timestamp.bv_len;
         ad_reqStart->ad_type->sat_equality->smr_normalize(
@@ -893,8 +1324,8 @@ static Entry *accesslog_entry( Operation *op, int logop,
  
         timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
         slap_timestamp( &op2->o_time, &timestamp );
-       sprintf( timestamp.bv_val + timestamp.bv_len-1, ".%06dZ", op2->o_tincr );
-       timestamp.bv_len += 7;
+       snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op2->o_tincr );
+       timestamp.bv_len += STRLENOF(".123456");
  
         attr_merge_normalize_one( e, ad_reqEnd, &timestamp, op->o_tmpmemctx );
  
@@ -913,16 +1344,45 @@ static Entry *accesslog_entry( Operation *op, int logop,
                 attr_merge_one( e, ad_reqType, &lo->word, NULL );
         }
  
-       rdn.bv_len = sprintf( rdn.bv_val, "%lu", op->o_connid );
-       attr_merge_one( e, ad_reqSession, &rdn, NULL );
+       rdn.bv_len = snprintf( rdn.bv_val, sizeof( rdnbuf ), "%lu", op->o_connid );
+       if ( rdn.bv_len < sizeof( rdnbuf ) ) {
+               attr_merge_one( e, ad_reqSession, &rdn, NULL );
+       } /* else? */
  
-       if ( BER_BVISNULL( &op->o_dn )) 
+       if ( BER_BVISNULL( &op->o_dn ) ) {
                 attr_merge_one( e, ad_reqAuthzID, (struct berval *)&slap_empty_bv,
                         (struct berval *)&slap_empty_bv );
-       else
+       } else {
                 attr_merge_one( e, ad_reqAuthzID, &op->o_dn, &op->o_ndn );
+       }
  
         /* FIXME: need to add reqControls and reqRespControls */
+       if ( op->o_ctrls ) {
+               BerVarray       vals = NULL,
+                               nvals = NULL;
+
+               if ( accesslog_ctrls( op->o_ctrls, &vals, &nvals,
+                       op->o_tmpmemctx ) == LDAP_SUCCESS && vals )
+               {
+                       attr_merge( e, ad_reqControls, vals, nvals );
+                       ber_bvarray_free_x( vals, op->o_tmpmemctx );
+                       ber_bvarray_free_x( nvals, op->o_tmpmemctx );
+               }
+       }
+
+       if ( rs->sr_ctrls ) {
+               BerVarray       vals = NULL,
+                               nvals = NULL;
+
+               if ( accesslog_ctrls( rs->sr_ctrls, &vals, &nvals,
+                       op->o_tmpmemctx ) == LDAP_SUCCESS && vals )
+               {
+                       attr_merge( e, ad_reqRespControls, vals, nvals );
+                       ber_bvarray_free_x( vals, op->o_tmpmemctx );
+                       ber_bvarray_free_x( nvals, op->o_tmpmemctx );
+               }
+
+       }
  
         return e;
  }
@@ -995,20 +1455,43 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
         }       /* Unbind and Abandon never reach here */
  
         lo = logops+logop+EN_OFFSET;
-       if ( !( li->li_ops & lo->mask ))
-               return SLAP_CB_CONTINUE;
+       if ( !( li->li_ops & lo->mask )) {
+               log_base *lb;
+
+               i = 0;
+               for ( lb = li->li_bases; lb; lb=lb->lb_next )
+                       if (( lb->lb_ops & lo->mask ) && dnIsSuffix( &op->o_req_ndn, &lb->lb_base )) {
+                               i = 1;
+                               break;
+                       }
+               if ( !i )
+                       return SLAP_CB_CONTINUE;
+       }
  
         if ( lo->mask & LOG_OP_WRITES ) {
+               slap_callback *cb;
+
+               /* These internal ops are not logged */
+               if ( op->o_dont_replicate && op->orm_no_opattrs )
+                       return SLAP_CB_CONTINUE;
+
                 ldap_pvt_thread_mutex_lock( &li->li_log_mutex );
                 old = li->li_old;
                 li->li_old = NULL;
+               /* Disarm mod_cleanup */
+               for ( cb = op->o_callback; cb; cb = cb->sc_next ) {
+                       if ( cb->sc_private == (void *)on ) {
+                               cb->sc_private = NULL;
+                               break;
+                       }
+               }
                 ldap_pvt_thread_rmutex_unlock( &li->li_op_rmutex, op->o_tid );
         }
  
         if ( li->li_success && rs->sr_err != LDAP_SUCCESS )
                 goto done;
  
-       e = accesslog_entry( op, logop, &op2 );
+       e = accesslog_entry( op, rs, logop, &op2 );
  
         attr_merge_one( e, ad_reqDN, &op->o_req_dn, &op->o_req_ndn );
  
@@ -1016,10 +1499,11 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
                 ber_str2bv( rs->sr_text, 0, 0, &bv );
                 attr_merge_one( e, ad_reqMessage, &bv, NULL );
         }
-       bv.bv_len = sprintf( timebuf, "%d", rs->sr_err );
-       bv.bv_val = timebuf;
-
-       attr_merge_one( e, ad_reqResult, &bv, NULL );
+       bv.bv_len = snprintf( timebuf, sizeof( timebuf ), "%d", rs->sr_err );
+       if ( bv.bv_len < sizeof( timebuf ) ) {
+               bv.bv_val = timebuf;
+               attr_merge_one( e, ad_reqResult, &bv, NULL );
+       }
  
         last_attr = attr_find( e->e_attrs, ad_reqResult );
  
@@ -1041,11 +1525,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
                 /* count all the vals */
                 i = 0;
                 for ( a=e2->e_attrs; a; a=a->a_next ) {
-                       if ( a->a_vals ) {
-                               for (b=a->a_vals; !BER_BVISNULL( b ); b++) {
-                                       i++;
-                               }
-                       }
+                       i += a->a_numvals;
                 }
                 vals = ch_malloc( (i+1) * sizeof( struct berval ));
                 i = 0;
@@ -1059,6 +1539,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
                 vals[i].bv_val = NULL;
                 vals[i].bv_len = 0;
                 a = attr_alloc( logop == LOG_EN_ADD ? ad_reqMod : ad_reqOld );
+               a->a_numvals = i;
                 a->a_vals = vals;
                 a->a_nvals = vals;
                 last_attr->a_next = a;
@@ -1071,9 +1552,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
                 i = 0;
                 for ( m = op->orm_modlist; m; m = m->sml_next ) {
                         if ( m->sml_values ) {
-                               for ( b = m->sml_values; !BER_BVISNULL( b ); b++ ) {
-                                       i++;
-                               }
+                               i += m->sml_numvals;
                         } else if ( m->sml_op == LDAP_MOD_DELETE ||
                                 m->sml_op == LDAP_MOD_REPLACE )
                         {
@@ -1154,6 +1633,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
                 if ( i > 0 ) {
                         BER_BVZERO( &vals[i] );
                         a = attr_alloc( ad_reqMod );
+                       a->a_numvals = i;
                         a->a_vals = vals;
                         a->a_nvals = vals;
                         last_attr->a_next = a;
@@ -1168,26 +1648,27 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
                         i = 0;
                         for ( a = old->e_attrs; a != NULL; a = a->a_next ) {
                                 if ( a->a_vals && a->a_flags ) {
-                                       for ( b = a->a_vals; !BER_BVISNULL( b ); b++ ) {
-                                               i++;
-                                       }
+                                       i += a->a_numvals;
                                 }
                         }
-                       vals = ch_malloc( (i + 1) * sizeof( struct berval ) );
-                       i = 0;
-                       for ( a=old->e_attrs; a; a=a->a_next ) {
-                               if ( a->a_vals && a->a_flags ) {
-                                       for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
-                                               accesslog_val2val( a->a_desc, b, 0, &vals[i] );
+                       if ( i ) {
+                               vals = ch_malloc( (i + 1) * sizeof( struct berval ) );
+                               i = 0;
+                               for ( a=old->e_attrs; a; a=a->a_next ) {
+                                       if ( a->a_vals && a->a_flags ) {
+                                               for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
+                                                       accesslog_val2val( a->a_desc, b, 0, &vals[i] );
+                                               }
                                         }
                                 }
+                               vals[i].bv_val = NULL;
+                               vals[i].bv_len = 0;
+                               a = attr_alloc( ad_reqOld );
+                               a->a_numvals = i;
+                               a->a_vals = vals;
+                               a->a_nvals = vals;
+                               last_attr->a_next = a;
                         }
-                       vals[i].bv_val = NULL;
-                       vals[i].bv_len = 0;
-                       a = attr_alloc( ad_reqOld );
-                       a->a_vals = vals;
-                       a->a_nvals = vals;
-                       last_attr->a_next = a;
                 }
                 if ( logop == LOG_EN_MODIFY ) {
                         break;
@@ -1224,40 +1705,52 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
                 if ( !BER_BVISEMPTY( &op->ors_filterstr ))
                         attr_merge_one( e, ad_reqFilter, &op->ors_filterstr, NULL );
                 if ( op->ors_attrs ) {
+                       int j;
                         /* count them */
                         for (i=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++)
                                 ;
                         vals = op->o_tmpalloc( (i+1) * sizeof(struct berval),
                                 op->o_tmpmemctx );
-                       for (i=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++)
-                               vals[i] = op->ors_attrs[i].an_name;
-                       vals[i].bv_val = NULL;
-                       vals[i].bv_len = 0;
+                       for (i=0, j=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++) {
+                               if (!BER_BVISEMPTY(&op->ors_attrs[i].an_name)) {
+                                       vals[j] = op->ors_attrs[i].an_name;
+                                       j++;
+                               }
+                       }
+                       BER_BVZERO(&vals[j]);
                         attr_merge( e, ad_reqAttr, vals, NULL );
                         op->o_tmpfree( vals, op->o_tmpmemctx );
                 }
                 bv.bv_val = timebuf;
-               bv.bv_len = sprintf( bv.bv_val, "%d", rs->sr_nentries );
-               attr_merge_one( e, ad_reqEntries, &bv, NULL );
-
-               bv.bv_len = sprintf( bv.bv_val, "%d", op->ors_tlimit );
-               attr_merge_one( e, ad_reqTimeLimit, &bv, NULL );
-
-               bv.bv_len = sprintf( bv.bv_val, "%d", op->ors_slimit );
-               attr_merge_one( e, ad_reqSizeLimit, &bv, NULL );
+               bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", rs->sr_nentries );
+               if ( bv.bv_len < sizeof( timebuf ) ) {
+                       attr_merge_one( e, ad_reqEntries, &bv, NULL );
+               } /* else? */
+
+               bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->ors_tlimit );
+               if ( bv.bv_len < sizeof( timebuf ) ) {
+                       attr_merge_one( e, ad_reqTimeLimit, &bv, NULL );
+               } /* else? */
+
+               bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->ors_slimit );
+               if ( bv.bv_len < sizeof( timebuf ) ) {
+                       attr_merge_one( e, ad_reqSizeLimit, &bv, NULL );
+               } /* else? */
                 break;
  
         case LOG_EN_BIND:
                 bv.bv_val = timebuf;
-               bv.bv_len = sprintf( bv.bv_val, "%d", op->o_protocol );
-               attr_merge_one( e, ad_reqVersion, &bv, NULL );
+               bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->o_protocol );
+               if ( bv.bv_len < sizeof( timebuf ) ) {
+                       attr_merge_one( e, ad_reqVersion, &bv, NULL );
+               } /* else? */
                 if ( op->orb_method == LDAP_AUTH_SIMPLE ) {
                         attr_merge_one( e, ad_reqMethod, &simple, NULL );
                 } else {
-                       bv.bv_len = STRLENOF("SASL()") + op->orb_tmp_mech.bv_len;
+                       bv.bv_len = STRLENOF("SASL()") + op->orb_mech.bv_len;
                         bv.bv_val = op->o_tmpalloc( bv.bv_len + 1, op->o_tmpmemctx );
                         ptr = lutil_strcopy( bv.bv_val, "SASL(" );
-                       ptr = lutil_strcopy( ptr, op->orb_tmp_mech.bv_val );
+                       ptr = lutil_strcopy( ptr, op->orb_mech.bv_val );
                         *ptr++ = ')';
                         *ptr = '\0';
                         attr_merge_one( e, ad_reqMethod, &bv, NULL );
@@ -1343,13 +1836,56 @@ accesslog_op_bind( Operation *op, SlapReply *rs )
         return SLAP_CB_CONTINUE;
  }
  
+static int
+accesslog_mod_cleanup( Operation *op, SlapReply *rs )
+{
+       slap_callback *sc = op->o_callback;
+       slap_overinst *on = sc->sc_private;
+       op->o_callback = sc->sc_next;
+
+       op->o_tmpfree( sc, op->o_tmpmemctx );
+
+       if ( on ) {
+               BackendInfo *bi = op->o_bd->bd_info;
+               op->o_bd->bd_info = (BackendInfo *)on;
+               accesslog_response( op, rs );
+               op->o_bd->bd_info = bi;
+       }
+       return 0;
+}
+
  static int
  accesslog_op_mod( Operation *op, SlapReply *rs )
  {
         slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
         log_info *li = on->on_bi.bi_private;
+       int doit = 0;
+
+       /* These internal ops are not logged */
+       if ( op->o_dont_replicate && op->orm_no_opattrs )
+               return SLAP_CB_CONTINUE;
+
  
         if ( li->li_ops & LOG_OP_WRITES ) {
+               doit = 1;
+       } else {
+               log_base *lb;
+               for ( lb = li->li_bases; lb; lb = lb->lb_next )
+                       if (( lb->lb_ops & LOG_OP_WRITES ) && dnIsSuffix( &op->o_req_ndn, &lb->lb_base )) {
+                               doit = 1;
+                               break;
+                       }
+       }
+                       
+       if ( doit ) {
+               slap_callback *cb = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx ), *cb2;
+               cb->sc_cleanup = accesslog_mod_cleanup;
+               cb->sc_response = NULL;
+               cb->sc_private = on;
+               cb->sc_next = NULL;
+               for ( cb2 = op->o_callback; cb2->sc_next; cb2 = cb2->sc_next );
+               cb2->sc_next = cb;
+
                 ldap_pvt_thread_rmutex_lock( &li->li_op_rmutex, op->o_tid );
                 if ( li->li_oldf && ( op->o_tag == LDAP_REQ_DELETE ||
                         op->o_tag == LDAP_REQ_MODIFY ||
@@ -1357,7 +1893,7 @@ accesslog_op_mod( Operation *op, SlapReply *rs )
                         int rc;
                         Entry *e;
  
-                       op->o_bd->bd_info = on->on_info->oi_orig;
+                       op->o_bd->bd_info = (BackendInfo *)on->on_info;
                         rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
                         if ( e ) {
                                 if ( test_filter( op, e, li->li_oldf ) == LDAP_COMPARE_TRUE )
@@ -1384,10 +1920,20 @@ accesslog_unbind( Operation *op, SlapReply *rs )
                 SlapReply rs2 = {REP_RESULT};
                 Entry *e;
  
-               if ( !( li->li_ops & LOG_OP_UNBIND ))
-                       return SLAP_CB_CONTINUE;
+               if ( !( li->li_ops & LOG_OP_UNBIND )) {
+                       log_base *lb;
+                       int i = 0;
+
+                       for ( lb = li->li_bases; lb; lb=lb->lb_next )
+                               if (( lb->lb_ops & LOG_OP_UNBIND ) && dnIsSuffix( &op->o_ndn, &lb->lb_base )) {
+                                       i = 1;
+                                       break;
+                               }
+                       if ( !i )
+                               return SLAP_CB_CONTINUE;
+               }
  
-               e = accesslog_entry( op, LOG_EN_UNBIND, &op2 );
+               e = accesslog_entry( op, rs, LOG_EN_UNBIND, &op2 );
                 op2.o_hdr = op->o_hdr;
                 op2.o_tag = LDAP_REQ_ADD;
                 op2.o_bd = li->li_db;
@@ -1419,13 +1965,28 @@ accesslog_abandon( Operation *op, SlapReply *rs )
         char buf[64];
         struct berval bv;
  
-       if ( !op->o_time || !( li->li_ops & LOG_OP_ABANDON ))
+       if ( !op->o_time )
                 return SLAP_CB_CONTINUE;
  
-       e = accesslog_entry( op, LOG_EN_ABANDON, &op2 );
+       if ( !( li->li_ops & LOG_OP_ABANDON )) {
+               log_base *lb;
+               int i = 0;
+
+               for ( lb = li->li_bases; lb; lb=lb->lb_next )
+                       if (( lb->lb_ops & LOG_OP_ABANDON ) && dnIsSuffix( &op->o_ndn, &lb->lb_base )) {
+                               i = 1;
+                               break;
+                       }
+               if ( !i )
+                       return SLAP_CB_CONTINUE;
+       }
+
+       e = accesslog_entry( op, rs, LOG_EN_ABANDON, &op2 );
         bv.bv_val = buf;
-       bv.bv_len = sprintf( buf, "%d", op->orn_msgid );
-       attr_merge_one( e, ad_reqId, &bv, NULL );
+       bv.bv_len = snprintf( buf, sizeof( buf ), "%d", op->orn_msgid );
+       if ( bv.bv_len < sizeof( buf ) ) {
+               attr_merge_one( e, ad_reqId, &bv, NULL );
+       } /* else? */
  
         op2.o_hdr = op->o_hdr;
         op2.o_tag = LDAP_REQ_ADD;
@@ -1452,6 +2013,9 @@ accesslog_operational( Operation *op, SlapReply *rs )
         slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
         log_info *li = on->on_bi.bi_private;
  
+       if ( op->o_sync != SLAP_CONTROL_NONE )
+               return SLAP_CB_CONTINUE;
+
         if ( rs->sr_entry != NULL
                 && dn_match( &op->o_bd->be_nsuffix[0], &rs->sr_entry->e_nname ) )
         {
@@ -1464,10 +2028,9 @@ accesslog_operational( Operation *op, SlapReply *rs )
                                 ad_inlist( ad_auditContext, rs->sr_attrs ) )
                 {
                         *ap = attr_alloc( ad_auditContext );
-                       value_add_one( &(*ap)->a_vals,
-                               &li->li_db->be_suffix[0] );
-                       value_add_one( &(*ap)->a_nvals,
-                               &li->li_db->be_nsuffix[0] );
+                       attr_valadd( *ap,
+                               &li->li_db->be_suffix[0],
+                               &li->li_db->be_nsuffix[0], 1 );
                 }
         }
  
@@ -1478,7 +2041,8 @@ static slap_overinst accesslog;
  
  static int
  accesslog_db_init(
-       BackendDB *be
+       BackendDB *be,
+       ConfigReply *cr
  )
  {
         slap_overinst *on = (slap_overinst *)be->bd_info;
@@ -1492,7 +2056,8 @@ accesslog_db_init(
  
  static int
  accesslog_db_destroy(
-       BackendDB *be
+       BackendDB *be,
+       ConfigReply *cr
  )
  {
         slap_overinst *on = (slap_overinst *)be->bd_info;
@@ -1581,8 +2146,11 @@ accesslog_db_root(
  
                         a = attr_find( e_ctx->e_attrs, slap_schema.si_ad_contextCSN );
                         if ( a ) {
-                               attr_merge( e, slap_schema.si_ad_entryCSN, a->a_vals, NULL );
-                               attr_merge( e, a->a_desc, a->a_vals, NULL );
+                               /* FIXME: contextCSN could have multiple values!
+                                * should select the one with the server's SID */
+                               attr_merge_one( e, slap_schema.si_ad_entryCSN,
+                                       &a->a_vals[0], &a->a_nvals[0] );
+                               attr_merge( e, a->a_desc, a->a_vals, a->a_nvals );
                         }
                         be_entry_release_rw( op, e_ctx, 0 );
                 }
@@ -1608,7 +2176,8 @@ accesslog_db_root(
  
  static int
  accesslog_db_open(
-       BackendDB *be
+       BackendDB *be,
+       ConfigReply *cr
  )
  {
         slap_overinst *on = (slap_overinst *)be->bd_info;
@@ -1616,7 +2185,7 @@ accesslog_db_open(
  
  
         if ( !BER_BVISEMPTY( &li->li_db_suffix )) {
-               li->li_db = select_backend( &li->li_db_suffix, 0, 0 );
+               li->li_db = select_backend( &li->li_db_suffix, 0 );
                 ch_free( li->li_db_suffix.bv_val );
                 BER_BVZERO( &li->li_db_suffix );
         }
@@ -1635,8 +2204,10 @@ accesslog_db_open(
                 ber_dupbv( &li->li_db->be_rootndn, li->li_db->be_nsuffix );
         }
  
+       ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
         ldap_pvt_runqueue_insert( &slapd_rq, 3600, accesslog_db_root, on,
                 "accesslog_db_root", li->li_db->be_suffix[0].bv_val );
+       ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
  
         return 0;
  }
@@ -1668,25 +2239,59 @@ int accesslog_initialize()
         if ( rc ) return rc;
  
         /* log schema integration */
+       for ( i=0; lsyntaxes[i].oid; i++ ) {
+               int code;
+
+               code = register_syntax( &lsyntaxes[ i ].syn );
+               if ( code != 0 ) {
+                       Debug( LDAP_DEBUG_ANY,
+                               "accesslog_init: register_syntax failed\n",
+                               0, 0, 0 );
+                       return code;
+               }
+
+               if ( lsyntaxes[i].mrs != NULL ) {
+                       code = mr_make_syntax_compat_with_mrs(
+                               lsyntaxes[i].oid, lsyntaxes[i].mrs );
+                       if ( code < 0 ) {
+                               Debug( LDAP_DEBUG_ANY,
+                                       "accesslog_init: "
+                                       "mr_make_syntax_compat_with_mrs "
+                                       "failed\n",
+                                       0, 0, 0 );
+                               return code;
+                       }
+               }
+       }
+
         for ( i=0; lattrs[i].at; i++ ) {
                 int code;
  
                 code = register_at( lattrs[i].at, lattrs[i].ad, 0 );
                 if ( code ) {
                         Debug( LDAP_DEBUG_ANY,
-                               "accesslog_init: register_at failed\n", 0, 0, 0 );
+                               "accesslog_init: register_at failed\n",
+                               0, 0, 0 );
                         return -1;
                 }
+#ifndef LDAP_DEVEL
+               (*lattrs[i].ad)->ad_type->sat_flags |= SLAP_AT_HIDE;
+#endif
         }
+
         for ( i=0; locs[i].ot; i++ ) {
                 int code;
  
                 code = register_oc( locs[i].ot, locs[i].oc, 0 );
                 if ( code ) {
                         Debug( LDAP_DEBUG_ANY,
-                               "accesslog_init: register_oc failed\n", 0, 0, 0 );
+                               "accesslog_init: register_oc failed\n",
+                               0, 0, 0 );
                         return -1;
                 }
+#ifndef LDAP_DEVEL
+               (*locs[i].oc)->soc_flags |= SLAP_OC_HIDE;
+#endif
         }
  
         return overlay_register(&accesslog);