cleanup

[openldap] / servers / slapd / schema_init.c
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c

index 5d373374397479658ec9cd727cac7c939bc66ae4..52cb7f8550e5a78cc7f3209bbffb464cdeac1896 100644 (file)
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -2,7 +2,7 @@
  /* $OpenLDAP$ */
  /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   *
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
   * All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
@@ -17,7 +17,9 @@
  #include "portable.h"
  
  #include <stdio.h>
+#ifdef HAVE_LIMITS_H
  #include <limits.h>
+#endif
  
  #include <ac/ctype.h>
  #include <ac/errno.h>
@@ -48,8 +50,6 @@
  #define HASH_Update(c,buf,len) lutil_HASHUpdate(c,buf,len)
  #define HASH_Final(d,c)                        lutil_HASHFinal(d,c)
  
-#define        OpenLDAPaciMatch                        NULL
-
  /* approx matching rules */
  #define directoryStringApproxMatchOID  "1.3.6.1.4.1.4203.666.4.4"
  #define directoryStringApproxMatch             approxMatch
@@ -67,11 +67,19 @@
  #define csnIndexer                             generalizedTimeIndexer
  #define csnFilter                              generalizedTimeFilter
  
+#ifdef SLAP_AUTHZ_SYNTAX
+/* FIXME: temporary */
+#define authzMatch                             octetStringMatch
+#endif /* SLAP_AUTHZ_SYNTAX */
+
  unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT;
  unsigned int index_substr_if_maxlen = SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT;
  unsigned int index_substr_any_len = SLAP_INDEX_SUBSTR_ANY_LEN_DEFAULT;
  unsigned int index_substr_any_step = SLAP_INDEX_SUBSTR_ANY_STEP_DEFAULT;
  
+ldap_pvt_thread_mutex_t        ad_undef_mutex;
+ldap_pvt_thread_mutex_t        oc_undef_mutex;
+
  static int
  inValidate(
         Syntax *syntax,
@@ -119,7 +127,7 @@ static int certificateValidate( Syntax *syntax, struct berval *in )
  #define certificateValidate sequenceValidate
  #endif
  
-static int
+int
  octetStringMatch(
         int *matchp,
         slap_mask_t flags,
@@ -161,16 +169,13 @@ octetStringOrderingMatch(
         return LDAP_SUCCESS;
  }
  
-void
-hashDigestify(
+static void
+hashPreset(
         HASH_CONTEXT *HASHcontext,
-       unsigned char *HASHdigest,
         struct berval *prefix,
         char pre,
         Syntax *syntax,
-       MatchingRule *mr,
-       unsigned char *value,
-       int value_len)
+       MatchingRule *mr)
  {
         HASH_Init(HASHcontext);
         if(prefix && prefix->bv_len > 0) {
@@ -180,11 +185,21 @@ hashDigestify(
         if(pre) HASH_Update(HASHcontext, (unsigned char*)&pre, sizeof(pre));
         HASH_Update(HASHcontext, (unsigned char*)syntax->ssyn_oid, syntax->ssyn_oidlen);
         HASH_Update(HASHcontext, (unsigned char*)mr->smr_oid, mr->smr_oidlen);
-       HASH_Update(HASHcontext, value, value_len);
-       HASH_Final(HASHdigest, HASHcontext);
         return;
  }
  
+static void
+hashIter(
+       HASH_CONTEXT *HASHcontext,
+       unsigned char *HASHdigest,
+       unsigned char *value,
+       int len)
+{
+       HASH_CONTEXT ctx = *HASHcontext;
+       HASH_Update( &ctx, value, len );
+       HASH_Final( HASHdigest, &ctx );
+}
+
  /* Index generation function */
  int octetStringIndexer(
         slap_mask_t use,
@@ -217,9 +232,10 @@ int octetStringIndexer(
         slen = syntax->ssyn_oidlen;
         mlen = mr->smr_oidlen;
  
+       hashPreset( &HASHcontext, prefix, 0, syntax, mr);
         for( i=0; !BER_BVISNULL( &values[i] ); i++ ) {
-               hashDigestify( &HASHcontext, HASHdigest, prefix, 0,
-                       syntax, mr, (unsigned char *)values[i].bv_val, values[i].bv_len );
+               hashIter( &HASHcontext, HASHdigest,
+                       (unsigned char *)values[i].bv_val, values[i].bv_len );
                 ber_dupbv_x( &keys[i], &digest, ctx );
         }
  
@@ -255,8 +271,9 @@ int octetStringFilter(
  
         keys = slap_sl_malloc( sizeof( struct berval ) * 2, ctx );
  
-       hashDigestify( &HASHcontext, HASHdigest, prefix, 0,
-               syntax, mr, (unsigned char *)value->bv_val, value->bv_len );
+       hashPreset( &HASHcontext, prefix, 0, syntax, mr );
+       hashIter( &HASHcontext, HASHdigest,
+               (unsigned char *)value->bv_val, value->bv_len );
  
         ber_dupbv_x( keys, &digest, ctx );
         BER_BVZERO( &keys[1] );
@@ -402,11 +419,11 @@ octetStringSubstringsIndexer(
         BerVarray *keysp,
         void *ctx )
  {
-       ber_len_t i, j, len, nkeys;
+       ber_len_t i, nkeys;
         size_t slen, mlen;
         BerVarray keys;
  
-       HASH_CONTEXT HASHcontext;
+       HASH_CONTEXT HCany, HCini, HCfin;
         unsigned char HASHdigest[HASH_BYTES];
         struct berval digest;
         digest.bv_val = (char *)HASHdigest;
@@ -452,6 +469,13 @@ octetStringSubstringsIndexer(
         slen = syntax->ssyn_oidlen;
         mlen = mr->smr_oidlen;
  
+       if ( flags & SLAP_INDEX_SUBSTR_ANY )
+               hashPreset( &HCany, prefix, SLAP_INDEX_SUBSTR_PREFIX, syntax, mr );
+       if( flags & SLAP_INDEX_SUBSTR_INITIAL )
+               hashPreset( &HCini, prefix, SLAP_INDEX_SUBSTR_INITIAL_PREFIX, syntax, mr );
+       if( flags & SLAP_INDEX_SUBSTR_FINAL )
+               hashPreset( &HCfin, prefix, SLAP_INDEX_SUBSTR_FINAL_PREFIX, syntax, mr );
+
         nkeys = 0;
         for ( i = 0; !BER_BVISNULL( &values[i] ); i++ ) {
                 ber_len_t j,max;
@@ -459,12 +483,12 @@ octetStringSubstringsIndexer(
                 if( ( flags & SLAP_INDEX_SUBSTR_ANY ) &&
                         ( values[i].bv_len >= index_substr_any_len ) )
                 {
-                       char pre = SLAP_INDEX_SUBSTR_PREFIX;
                         max = values[i].bv_len - (index_substr_any_len - 1);
  
                         for( j=0; j<max; j++ ) {
-                               hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
-                                       syntax, mr, (unsigned char *)&values[i].bv_val[j], index_substr_any_len);
+                               hashIter( &HCany, HASHdigest,
+                                       (unsigned char *)&values[i].bv_val[j],
+                                       index_substr_any_len );
                                 ber_dupbv_x( &keys[nkeys++], &digest, ctx );
                         }
                 }
@@ -476,19 +500,16 @@ octetStringSubstringsIndexer(
                         ? index_substr_if_maxlen : values[i].bv_len;
  
                 for( j=index_substr_if_minlen; j<=max; j++ ) {
-                       char pre;
  
                         if( flags & SLAP_INDEX_SUBSTR_INITIAL ) {
-                               pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX;
-                               hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
-                                       syntax, mr, (unsigned char *)values[i].bv_val, j );
+                               hashIter( &HCini, HASHdigest,
+                                       (unsigned char *)values[i].bv_val, j );
                                 ber_dupbv_x( &keys[nkeys++], &digest, ctx );
                         }
  
                         if( flags & SLAP_INDEX_SUBSTR_FINAL ) {
-                               pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX;
-                               hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
-                                       syntax, mr, (unsigned char *)&values[i].bv_val[values[i].bv_len-j], j );
+                               hashIter( &HCfin, HASHdigest,
+                                       (unsigned char *)&values[i].bv_val[values[i].bv_len-j], j );
                                 ber_dupbv_x( &keys[nkeys++], &digest, ctx );
                         }
  
@@ -519,7 +540,7 @@ octetStringSubstringsFilter (
  {
         SubstringsAssertion *sa;
         char pre;
-       ber_len_t len, max, nkeys = 0;
+       ber_len_t nkeys = 0;
         size_t slen, mlen, klen;
         BerVarray keys;
         HASH_CONTEXT HASHcontext;
@@ -588,8 +609,9 @@ octetStringSubstringsFilter (
                 klen = index_substr_if_maxlen < value->bv_len
                         ? index_substr_if_maxlen : value->bv_len;
  
-               hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
-                       syntax, mr, (unsigned char *)value->bv_val, klen );
+               hashPreset( &HASHcontext, prefix, pre, syntax, mr );
+               hashIter( &HASHcontext, HASHdigest,
+                       (unsigned char *)value->bv_val, klen );
                 ber_dupbv_x( &keys[nkeys++], &digest, ctx );
  
                 /* If initial is too long and we have subany indexed, use it
@@ -599,10 +621,11 @@ octetStringSubstringsFilter (
                 {
                         ber_len_t j;
                         pre = SLAP_INDEX_SUBSTR_PREFIX;
+                       hashPreset( &HASHcontext, prefix, pre, syntax, mr);
                         for ( j=index_substr_if_maxlen-1; j <= value->bv_len - index_substr_any_len; j+=index_substr_any_step )
                         {
-                               hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
-                                       syntax, mr, (unsigned char *)&value->bv_val[j], index_substr_any_len );
+                               hashIter( &HASHcontext, HASHdigest,
+                                       (unsigned char *)&value->bv_val[j], index_substr_any_len );
                                 ber_dupbv_x( &keys[nkeys++], &digest, ctx );
                         }
                 }
@@ -620,12 +643,13 @@ octetStringSubstringsFilter (
  
                         value = &sa->sa_any[i];
  
+                       hashPreset( &HASHcontext, prefix, pre, syntax, mr);
                         for(j=0;
                                 j <= value->bv_len - index_substr_any_len;
                                 j += index_substr_any_step )
                         {
-                               hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
-                                       syntax, mr, (unsigned char *)&value->bv_val[j], klen ); 
+                               hashIter( &HASHcontext, HASHdigest,
+                                       (unsigned char *)&value->bv_val[j], klen ); 
                                 ber_dupbv_x( &keys[nkeys++], &digest, ctx );
                         }
                 }
@@ -641,8 +665,9 @@ octetStringSubstringsFilter (
                 klen = index_substr_if_maxlen < value->bv_len
                         ? index_substr_if_maxlen : value->bv_len;
  
-               hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
-                       syntax, mr, (unsigned char *)&value->bv_val[value->bv_len-klen], klen );
+               hashPreset( &HASHcontext, prefix, pre, syntax, mr );
+               hashIter( &HASHcontext, HASHdigest,
+                       (unsigned char *)&value->bv_val[value->bv_len-klen], klen );
                 ber_dupbv_x( &keys[nkeys++], &digest, ctx );
  
                 /* If final is too long and we have subany indexed, use it
@@ -652,10 +677,11 @@ octetStringSubstringsFilter (
                 {
                         ber_len_t j;
                         pre = SLAP_INDEX_SUBSTR_PREFIX;
+                       hashPreset( &HASHcontext, prefix, pre, syntax, mr);
                         for ( j=0; j <= value->bv_len - index_substr_if_maxlen; j+=index_substr_any_step )
                         {
-                               hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
-                                       syntax, mr, (unsigned char *)&value->bv_val[j], index_substr_any_len );
+                               hashIter( &HASHcontext, HASHdigest,
+                                       (unsigned char *)&value->bv_val[j], index_substr_any_len );
                                 ber_dupbv_x( &keys[nkeys++], &digest, ctx );
                         }
                 }
@@ -890,8 +916,8 @@ nameUIDPretty(
         struct berval *out,
         void *ctx )
  {
-       assert( val );
-       assert( out );
+       assert( val != NULL );
+       assert( out != NULL );
  
  
         Debug( LDAP_DEBUG_TRACE, ">>> nameUIDPretty: <%s>\n", val->bv_val, 0, 0 );
@@ -1058,8 +1084,9 @@ uniqueMemberMatch(
         struct berval *asserted = (struct berval *) assertedValue;
         struct berval assertedDN = *asserted;
         struct berval assertedUID = BER_BVNULL;
-       struct berval valueDN = BER_BVNULL;
+       struct berval valueDN = *value;
         struct berval valueUID = BER_BVNULL;
+       int approx = ((flags & SLAP_MR_EQUALITY_APPROX) == SLAP_MR_EQUALITY_APPROX);
  
         if ( !BER_BVISEMPTY( asserted ) ) {
                 assertedUID.bv_val = strrchr( assertedDN.bv_val, '#' );
@@ -1078,7 +1105,6 @@ uniqueMemberMatch(
         }
  
         if ( !BER_BVISEMPTY( value ) ) {
-               valueDN = *value;
  
                 valueUID.bv_val = strrchr( valueDN.bv_val, '#' );
                 if ( !BER_BVISNULL( &valueUID ) ) {
@@ -1107,11 +1133,109 @@ uniqueMemberMatch(
                         *matchp = match;
                         return LDAP_SUCCESS;
                 }
+
+       } else if ( !approx && valueUID.bv_len ) {
+               match = -1;
+               *matchp = match;
+               return LDAP_SUCCESS;
+
+       } else if ( !approx && assertedUID.bv_len ) {
+               match = 1;
+               *matchp = match;
+               return LDAP_SUCCESS;
         }
  
         return dnMatch( matchp, flags, syntax, mr, &valueDN, &assertedDN );
  }
  
+static int 
+uniqueMemberIndexer(
+       slap_mask_t use,
+       slap_mask_t flags,
+       Syntax *syntax,
+       MatchingRule *mr,
+       struct berval *prefix,
+       BerVarray values,
+       BerVarray *keysp,
+       void *ctx )
+{
+       BerVarray dnvalues;
+       int rc;
+       int i;
+       for( i=0; !BER_BVISNULL( &values[i] ); i++ ) {
+               /* just count them */                 
+       }
+       assert( i > 0 );
+
+       dnvalues = slap_sl_malloc( sizeof( struct berval ) * (i+1), ctx );
+
+       for( i=0; !BER_BVISNULL( &values[i] ); i++ ) {
+               struct berval assertedDN = values[i];
+               struct berval assertedUID = BER_BVNULL;
+
+               if ( !BER_BVISEMPTY( &assertedDN ) ) {
+                       assertedUID.bv_val = strrchr( assertedDN.bv_val, '#' );
+                       if ( !BER_BVISNULL( &assertedUID ) ) {
+                               assertedUID.bv_val++;
+                               assertedUID.bv_len = assertedDN.bv_len
+                                       - ( assertedUID.bv_val - assertedDN.bv_val );
+       
+                               if ( bitStringValidate( NULL, &assertedUID ) == LDAP_SUCCESS ) {
+                                       assertedDN.bv_len -= assertedUID.bv_len + 1;
+
+                               } else {
+                                       BER_BVZERO( &assertedUID );
+                               }
+                       }
+               }
+
+               dnvalues[i] = assertedDN;
+       }
+       BER_BVZERO( &dnvalues[i] );
+
+       rc = octetStringIndexer( use, flags, syntax, mr, prefix,
+               dnvalues, keysp, ctx );
+
+       slap_sl_free( dnvalues, ctx );
+       return rc;
+}
+
+static int 
+uniqueMemberFilter(
+       slap_mask_t use,
+       slap_mask_t flags,
+       Syntax *syntax,
+       MatchingRule *mr,
+       struct berval *prefix,
+       void * assertedValue,
+       BerVarray *keysp,
+       void *ctx )
+{
+       struct berval *asserted = (struct berval *) assertedValue;
+       struct berval assertedDN = *asserted;
+       struct berval assertedUID = BER_BVNULL;
+
+       if ( !BER_BVISEMPTY( asserted ) ) {
+               assertedUID.bv_val = strrchr( assertedDN.bv_val, '#' );
+               if ( !BER_BVISNULL( &assertedUID ) ) {
+                       assertedUID.bv_val++;
+                       assertedUID.bv_len = assertedDN.bv_len
+                               - ( assertedUID.bv_val - assertedDN.bv_val );
+
+                       if ( bitStringValidate( NULL, &assertedUID ) == LDAP_SUCCESS ) {
+                               assertedDN.bv_len -= assertedUID.bv_len + 1;
+
+                       } else {
+                               BER_BVZERO( &assertedUID );
+                       }
+               }
+       }
+
+       return octetStringFilter( use, flags, syntax, mr, prefix,
+               &assertedDN, keysp, ctx );
+}
+
+
  /*
   * Handling boolean syntax and matching is quite rigid.
   * A more flexible approach would be to allow a variety
@@ -1323,7 +1447,10 @@ UTF8StringNormalize(
         nvalue.bv_len = 0;
         nvalue.bv_val = tmp.bv_val;
  
-       wasspace = 1; /* trim leading spaces */
+       /* trim leading spaces? */
+       wasspace = !((( use & SLAP_MR_SUBSTR_ANY ) == SLAP_MR_SUBSTR_ANY ) ||
+               (( use & SLAP_MR_SUBSTR_FINAL ) == SLAP_MR_SUBSTR_FINAL ));
+
         for( i = 0; i < tmp.bv_len; i++) {
                 if ( ASCII_SPACE( tmp.bv_val[i] )) {
                         if( wasspace++ == 0 ) {
@@ -1337,8 +1464,11 @@ UTF8StringNormalize(
         }
  
         if( !BER_BVISEMPTY( &nvalue ) ) {
-               if( wasspace ) {
-                       /* last character was a space, trim it */
+               /* trim trailing space? */
+               if( wasspace && (
+                       (( use & SLAP_MR_SUBSTR_INITIAL ) != SLAP_MR_SUBSTR_INITIAL ) &&
+                       ( use & SLAP_MR_SUBSTR_ANY ) != SLAP_MR_SUBSTR_ANY ))
+               {
                         --nvalue.bv_len;
                 }
                 nvalue.bv_val[nvalue.bv_len] = '\0';
@@ -1354,6 +1484,137 @@ UTF8StringNormalize(
         return LDAP_SUCCESS;
  }
  
+static int
+directoryStringSubstringsMatch(
+       int *matchp,
+       slap_mask_t flags,
+       Syntax *syntax,
+       MatchingRule *mr,
+       struct berval *value,
+       void *assertedValue )
+{
+       int match = 0;
+       SubstringsAssertion *sub = assertedValue;
+       struct berval left = *value;
+       int i;
+       int priorspace=0;
+
+       if ( !BER_BVISNULL( &sub->sa_initial ) ) {
+               if ( sub->sa_initial.bv_len > left.bv_len ) {
+                       /* not enough left */
+                       match = 1;
+                       goto done;
+               }
+
+               match = memcmp( sub->sa_initial.bv_val, left.bv_val,
+                       sub->sa_initial.bv_len );
+
+               if ( match != 0 ) {
+                       goto done;
+               }
+
+               left.bv_val += sub->sa_initial.bv_len;
+               left.bv_len -= sub->sa_initial.bv_len;
+
+               priorspace = ASCII_SPACE(
+                       sub->sa_initial.bv_val[sub->sa_initial.bv_len] );
+       }
+
+       if ( sub->sa_any ) {
+               for ( i = 0; !BER_BVISNULL( &sub->sa_any[i] ); i++ ) {
+                       ber_len_t idx;
+                       char *p;
+
+                       if( priorspace && !BER_BVISEMPTY( &sub->sa_any[i] ) 
+                               && ASCII_SPACE( sub->sa_any[i].bv_val[0] ))
+                       { 
+                               /* allow next space to match */
+                               left.bv_val--;
+                               left.bv_len++;
+                       }
+                       priorspace=0;
+
+retry:
+                       if ( BER_BVISEMPTY( &sub->sa_any[i] ) ) {
+                               continue;
+                       }
+
+                       if ( sub->sa_any[i].bv_len > left.bv_len ) {
+                               /* not enough left */
+                               match = 1;
+                               goto done;
+                       }
+
+                       p = memchr( left.bv_val, *sub->sa_any[i].bv_val, left.bv_len );
+
+                       if( p == NULL ) {
+                               match = 1;
+                               goto done;
+                       }
+
+                       idx = p - left.bv_val;
+
+                       if ( idx >= left.bv_len ) {
+                               /* this shouldn't happen */
+                               return LDAP_OTHER;
+                       }
+
+                       left.bv_val = p;
+                       left.bv_len -= idx;
+
+                       if ( sub->sa_any[i].bv_len > left.bv_len ) {
+                               /* not enough left */
+                               match = 1;
+                               goto done;
+                       }
+
+                       match = memcmp( left.bv_val,
+                               sub->sa_any[i].bv_val,
+                               sub->sa_any[i].bv_len );
+
+                       if ( match != 0 ) {
+                               left.bv_val++;
+                               left.bv_len--;
+                               goto retry;
+                       }
+
+                       left.bv_val += sub->sa_any[i].bv_len;
+                       left.bv_len -= sub->sa_any[i].bv_len;
+
+                       priorspace = ASCII_SPACE(
+                               sub->sa_any[i].bv_val[sub->sa_any[i].bv_len] );
+               }
+       }
+
+       if ( !BER_BVISNULL( &sub->sa_final ) ) {
+               if( priorspace && !BER_BVISEMPTY( &sub->sa_final ) 
+                       && ASCII_SPACE( sub->sa_final.bv_val[0] ))
+               { 
+                       /* allow next space to match */
+                       left.bv_val--;
+                       left.bv_len++;
+               }
+
+               if ( sub->sa_final.bv_len > left.bv_len ) {
+                       /* not enough left */
+                       match = 1;
+                       goto done;
+               }
+
+               match = memcmp( sub->sa_final.bv_val,
+                       &left.bv_val[left.bv_len - sub->sa_final.bv_len],
+                       sub->sa_final.bv_len );
+
+               if ( match != 0 ) {
+                       goto done;
+               }
+       }
+
+done:
+       *matchp = match;
+       return LDAP_SUCCESS;
+}
+
  #if defined(SLAPD_APPROX_INITIALS)
  #      define SLAPD_APPROX_DELIMITER "._ "
  #      define SLAPD_APPROX_WORDLEN 2
@@ -1618,7 +1879,7 @@ telephoneNumberNormalize(
         return LDAP_SUCCESS;
  }
  
-static int
+int
  numericoidValidate(
         Syntax *syntax,
         struct berval *in )
@@ -1635,7 +1896,7 @@ numericoidValidate(
                         return LDAP_SUCCESS;
                 }
  
-               if ( val.bv_val[0] == '0' ) {
+               if ( val.bv_val[0] == '0' && !OID_SEPARATOR( val.bv_val[1] )) {
                         break;
                 }
  
@@ -1840,7 +2101,8 @@ IA5StringNormalize(
         void *ctx )
  {
         char *p, *q;
-       int casefold = !SLAP_MR_ASSOCIATED(mr, slap_schema.si_mr_caseExactIA5Match);
+       int casefold = !SLAP_MR_ASSOCIATED( mr,
+               slap_schema.si_mr_caseExactIA5Match );
  
         assert( !BER_BVISEMPTY( val ) );
  
@@ -1927,6 +2189,56 @@ UUIDValidate(
  }
  
  static int
+UUIDPretty(
+       Syntax *syntax,
+       struct berval *in,
+       struct berval *out,
+       void *ctx )
+{
+       int i;
+       int rc=LDAP_INVALID_SYNTAX;
+
+       assert( in != NULL );
+       assert( out != NULL );
+
+       if( in->bv_len != 36 ) return LDAP_INVALID_SYNTAX;
+
+       out->bv_len = 36;
+       out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
+
+       for( i=0; i<36; i++ ) {
+               switch(i) {
+                       case 8:
+                       case 13:
+                       case 18:
+                       case 23:
+                               if( in->bv_val[i] != '-' ) {
+                                       goto handle_error;
+                               }
+                               out->bv_val[i] = '-';
+                               break;
+
+                       default:
+                               if( !ASCII_HEX( in->bv_val[i]) ) {
+                                       goto handle_error;
+                               }
+                               out->bv_val[i] = TOLOWER( in->bv_val[i] );
+               }
+       }
+
+       rc = LDAP_SUCCESS;
+       out->bv_val[ out->bv_len ] = '\0';
+
+       if( 0 ) {
+handle_error:
+               slap_sl_free( out->bv_val, ctx );
+               out->bv_val = NULL;
+       }
+
+       return rc;
+}
+
+int
  UUIDNormalize(
         slap_mask_t usage,
         Syntax *syntax,
@@ -2083,7 +2395,7 @@ integerBitAndMatch(
                 return LDAP_CONSTRAINT_VIOLATION;
         }
  
-       *matchp = (lValue & lAssertedValue) ? 0 : 1;
+       *matchp = ((lValue & lAssertedValue) == lAssertedValue) ? 0 : 1;
         return LDAP_SUCCESS;
  }
  
@@ -2114,7 +2426,7 @@ integerBitOrMatch(
                 return LDAP_CONSTRAINT_VIOLATION;
         }
  
-       *matchp = (lValue | lAssertedValue) ? 0 : -1;
+       *matchp = ((lValue & lAssertedValue) != 0) ? 0 : -1;
         return LDAP_SUCCESS;
  }
  
@@ -2124,97 +2436,524 @@ serialNumberAndIssuerValidate(
         struct berval *in )
  {
         int rc;
-       int state;
         ber_len_t n;
         struct berval sn, i;
-       if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
  
-       i.bv_val = strchr( in->bv_val, '$' );
-       if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+       Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerValidate: <%s>\n",
+               in->bv_val, 0, 0 );
  
-       sn.bv_val = in->bv_val;
-       sn.bv_len = i.bv_val - in->bv_val;
+       if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
  
-       i.bv_val++;
-       i.bv_len = in->bv_len - (sn.bv_len + 1);
+       if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+               /* Parse old format */
+               i.bv_val = ber_bvchr( in, '$' );
+               if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
  
-       /* validate serial number (strict for now) */
-       for( n=0; n < sn.bv_len; n++ ) {
-               if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
-       }
+               sn.bv_val = in->bv_val;
+               sn.bv_len = i.bv_val - in->bv_val;
  
-       /* validate DN */
-       rc = dnValidate( NULL, &i );
-       if( rc ) return LDAP_INVALID_SYNTAX;
+               i.bv_val++;
+               i.bv_len = in->bv_len - (sn.bv_len + 1);
  
-       return LDAP_SUCCESS;
-}
+               /* eat leading zeros */
+               for( n=0; n < (sn.bv_len-1); n++ ) {
+                       if( sn.bv_val[n] != '0' ) break;
+               }
+               sn.bv_val += n;
+               sn.bv_len -= n;
  
-int
-serialNumberAndIssuerPretty(
-       Syntax *syntax,
-       struct berval *val,
-       struct berval *out,
-       void *ctx )
-{
-       int rc;
-       int state;
-       ber_len_t n;
-       struct berval sn, i, newi;
+               for( n=0; n < sn.bv_len; n++ ) {
+                       if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+               }
  
-       assert( val );
-       assert( out );
+       } else {
+               /* Parse GSER format */ 
+               int havesn=0,haveissuer=0;
+               struct berval x = *in;
+               x.bv_val++;
+               x.bv_len-=2;
+
+               /* eat leading spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
  
-       Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerPretty: <%s>\n",
-               val->bv_val, 0, 0 );
+               if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
+                       return LDAP_INVALID_SYNTAX;
+               }
  
-       if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+               /* should be at issuer or serialNumber NamedValue */
+               if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
  
-       i.bv_val = strchr( val->bv_val, '$' );
-       if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
  
-       sn.bv_val = val->bv_val;
-       sn.bv_len = i.bv_val - val->bv_val;
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
  
-       i.bv_val++;
-       i.bv_len = val->bv_len - (sn.bv_len + 1);
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
  
-       /* eat leading zeros */
-       for( n=0; n < (sn.bv_len-1); n++ ) {
-               if( sn.bv_val[n] != '0' ) break;
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+                       if ( x.bv_len < STRLENOF(",serialNumber 0")) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       haveissuer++;
+
+               } else if( strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 )
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
+
+                       if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       havesn++;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
+               x.bv_val++; x.bv_len--;
+
+               /* eat spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should be at remaining NamedValue */
+               if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
+                       STRLENOF("issuer" )) == 0 ))
+               {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                                /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+               } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 ))
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len;
+                       x.bv_len -= sn.bv_len;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               /* eat trailing spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should have no characters left... */
+               if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+       }
+
+       /* validate DN -- doesn't handle double dquote */ 
+       rc = dnValidate( NULL, &i );
+       if( rc ) return LDAP_INVALID_SYNTAX;
+
+       Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerValidate: OKAY\n",
+               in->bv_val, 0, 0 );
+       return LDAP_SUCCESS;
+}
+
+int
+serialNumberAndIssuerPretty(
+       Syntax *syntax,
+       struct berval *in,
+       struct berval *out,
+       void *ctx )
+{
+       int rc;
+       ber_len_t n;
+       struct berval sn, i, ni;
+
+       assert( in != NULL );
+       assert( out != NULL );
+
+       Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerPretty: <%s>\n",
+               in->bv_val, 0, 0 );
+
+       if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+
+       if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+               /* Parse old format */
+               i.bv_val = ber_bvchr( in, '$' );
+               if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+
+               sn.bv_val = in->bv_val;
+               sn.bv_len = i.bv_val - in->bv_val;
+
+               i.bv_val++;
+               i.bv_len = in->bv_len - (sn.bv_len + 1);
+
+               /* eat leading zeros */
+               for( n=0; n < (sn.bv_len-1); n++ ) {
+                       if( sn.bv_val[n] != '0' ) break;
+               }
+               sn.bv_val += n;
+               sn.bv_len -= n;
+
+               for( n=0; n < sn.bv_len; n++ ) {
+                       if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+               }
+
+       } else {
+               /* Parse GSER format */ 
+               int havesn=0,haveissuer=0;
+               struct berval x = *in;
+               x.bv_val++;
+               x.bv_len-=2;
+
+               /* eat leading spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               /* should be at issuer or serialNumber NamedValue */
+               if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+                       if ( x.bv_len < STRLENOF(",serialNumber 0")) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       haveissuer++;
+
+               } else if( strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 )
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
+
+                       if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       havesn++;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
+               x.bv_val++; x.bv_len--;
+
+               /* eat spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should be at remaining NamedValue */
+               if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
+                       STRLENOF("issuer" )) == 0 ))
+               {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                                /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+               } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 ))
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len;
+                       x.bv_len -= sn.bv_len;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               /* eat trailing spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should have no characters left... */
+               if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+
+               ber_dupbv_x( &ni, &i, ctx );
+               i = ni;
+
+               /* need to handle double dquotes here */
         }
-       sn.bv_val += n;
-       sn.bv_len -= n;
  
-       for( n=0; n < sn.bv_len; n++ ) {
-               if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+       rc = dnPretty( syntax, &i, &ni, ctx );
+
+       if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+               slap_sl_free( i.bv_val, ctx );
         }
  
-       /* pretty DN */
-       rc = dnPretty( syntax, &i, &newi, ctx );
         if( rc ) return LDAP_INVALID_SYNTAX;
  
         /* make room from sn + "$" */
-       out->bv_len = sn.bv_len + newi.bv_len + 1;
-       out->bv_val = slap_sl_realloc( newi.bv_val, out->bv_len + 1, ctx );
+       out->bv_len = STRLENOF("{ serialNumber , issuer \"\" }")
+               + sn.bv_len + ni.bv_len;
+       out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
  
-       if( BER_BVISNULL( out ) ) {
-               slap_sl_free( newi.bv_val, ctx );
+       if( out->bv_val == NULL ) {
+               out->bv_len = 0;
+               slap_sl_free( ni.bv_val, ctx );
                 return LDAP_OTHER;
         }
  
-       /* push issuer over */
-       AC_MEMCPY( &out->bv_val[sn.bv_len+1], newi.bv_val, newi.bv_len );
-       /* insert sn and "$" */
-       AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len );
-       out->bv_val[sn.bv_len] = '$';
-       /* terminate */
-       out->bv_val[out->bv_len] = '\0';
+       n = 0;
+       AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
+               STRLENOF("{ serialNumber "));
+       n = STRLENOF("{ serialNumber ");
+
+       AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
+       n += sn.bv_len;
+
+       AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF(", issuer \""));
+       n += STRLENOF(", issuer \"");
+
+       AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
+       n += ni.bv_len;
+
+       AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF("\" }"));
+       n += STRLENOF("\" }");
+
+       out->bv_val[n] = '\0';
+
+       assert( n == out->bv_len );
  
         Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s>\n",
                 out->bv_val, 0, 0 );
  
-       return LDAP_SUCCESS;
+       slap_sl_free( ni.bv_val, ctx );
+
+       return LDAP_SUCCESS; 
  }
  
  /*
@@ -2228,70 +2967,287 @@ serialNumberAndIssuerNormalize(
         slap_mask_t usage,
         Syntax *syntax,
         MatchingRule *mr,
-       struct berval *val,
+       struct berval *in,
         struct berval *out,
         void *ctx )
  {
         int rc;
-       int state;
         ber_len_t n;
-       struct berval sn, i, newi;
+       struct berval sn, i, ni;
  
-       assert( val );
-       assert( out );
+       assert( in != NULL );
+       assert( out != NULL );
  
         Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerNormalize: <%s>\n",
-               val->bv_val, 0, 0 );
+               in->bv_val, 0, 0 );
  
-       if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+       if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
  
-       i.bv_val = strchr( val->bv_val, '$' );
-       if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+       if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+               /* Parse old format */
+               i.bv_val = ber_bvchr( in, '$' );
+               if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
  
-       sn.bv_val = val->bv_val;
-       sn.bv_len = i.bv_val - val->bv_val;
+               sn.bv_val = in->bv_val;
+               sn.bv_len = i.bv_val - in->bv_val;
  
-       i.bv_val++;
-       i.bv_len = val->bv_len - (sn.bv_len + 1);
+               i.bv_val++;
+               i.bv_len = in->bv_len - (sn.bv_len + 1);
  
-       /* eat leading zeros */
-       for( n=0; n < (sn.bv_len-1); n++ ) {
-               if( sn.bv_val[n] != '0' ) break;
-       }
-       sn.bv_val += n;
-       sn.bv_len -= n;
+               /* eat leading zeros */
+               for( n=0; n < (sn.bv_len-1); n++ ) {
+                       if( sn.bv_val[n] != '0' ) break;
+               }
+               sn.bv_val += n;
+               sn.bv_len -= n;
+
+               for( n=0; n < sn.bv_len; n++ ) {
+                       if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+               }
  
-       for( n=0; n < sn.bv_len; n++ ) {
-               if( !ASCII_DIGIT(sn.bv_val[n]) ) {
+       } else {
+               /* Parse GSER format */ 
+               int havesn=0,haveissuer=0;
+               struct berval x = *in;
+               x.bv_val++;
+               x.bv_len-=2;
+
+               /* eat leading spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
                         return LDAP_INVALID_SYNTAX;
                 }
+
+               /* should be at issuer or serialNumber NamedValue */
+               if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+                       if ( x.bv_len < STRLENOF(",serialNumber 0")) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       haveissuer++;
+
+               } else if( strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 )
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
+
+                       if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       havesn++;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
+               x.bv_val++; x.bv_len--;
+
+               /* eat spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should be at remaining NamedValue */
+               if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
+                       STRLENOF("issuer" )) == 0 ))
+               {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                                /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+               } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 ))
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len;
+                       x.bv_len -= sn.bv_len;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               /* eat trailing spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should have no characters left... */
+               if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+
+               ber_dupbv_x( &ni, &i, ctx );
+               i = ni;
+
+               /* need to handle double dquotes here */
+       }
+
+       rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx );
+
+       if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+               slap_sl_free( i.bv_val, ctx );
         }
  
-       /* pretty DN */
-       rc = dnNormalize( usage, syntax, mr, &i, &newi, ctx );
         if( rc ) return LDAP_INVALID_SYNTAX;
  
         /* make room from sn + "$" */
-       out->bv_len = sn.bv_len + newi.bv_len + 1;
-       out->bv_val = slap_sl_realloc( newi.bv_val, out->bv_len + 1, ctx );
+       out->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" )
+               + sn.bv_len + ni.bv_len;
+       out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
  
-       if( BER_BVISNULL( out ) ) {
-               slap_sl_free( newi.bv_val, ctx );
+       if( out->bv_val == NULL ) {
+               out->bv_len = 0;
+               slap_sl_free( ni.bv_val, ctx );
                 return LDAP_OTHER;
         }
  
-       /* push issuer over */
-       AC_MEMCPY( &out->bv_val[sn.bv_len+1], newi.bv_val, newi.bv_len );
-       /* insert sn and "$" */
-       AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len );
-       out->bv_val[sn.bv_len] = '$';
-       /* terminate */
-       out->bv_val[out->bv_len] = '\0';
+       n = 0;
+       AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
+               STRLENOF( "{ serialNumber " ));
+       n = STRLENOF( "{ serialNumber " );
+
+       AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
+       n += sn.bv_len;
+
+       AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF( ", issuer \"" ));
+       n += STRLENOF( ", issuer \"" );
+
+       AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
+       n += ni.bv_len;
+
+       AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF( "\" }" ));
+       n += STRLENOF( "\" }" );
+
+       out->bv_val[n] = '\0';
+
+       assert( n == out->bv_len );
  
         Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n",
                 out->bv_val, 0, 0 );
  
-       return rc;
+       slap_sl_free( ni.bv_val, ctx );
+
+       return LDAP_SUCCESS;
  }
  
  #ifdef HAVE_TLS
@@ -2336,19 +3292,34 @@ certificateExactNormalize(
         rc = dnX509normalize( name, &issuer_dn );
         if( rc != LDAP_SUCCESS ) goto done;
  
-       normalized->bv_len = seriallen + issuer_dn.bv_len + 1;
+       normalized->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" )
+               + seriallen + issuer_dn.bv_len;
         normalized->bv_val = ch_malloc(normalized->bv_len+1);
+
         p = (unsigned char *)normalized->bv_val;
+
+       AC_MEMCPY(p, "{ serialNumber ", STRLENOF( "{ serialNumber " ));
+       p += STRLENOF( "{ serialNumber " );
+
         AC_MEMCPY(p, serial, seriallen);
         p += seriallen;
-       *p++ = '$';
+
+       AC_MEMCPY(p, ", issuer \"", STRLENOF( ", issuer \"" ));
+       p += STRLENOF( ", issuer \"" );
+
         AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len);
         p += issuer_dn.bv_len;
+
+       AC_MEMCPY(p, "\" }", STRLENOF( "\" }" ));
+       p += STRLENOF( "\" }" );
+
         *p = '\0';
  
         Debug( LDAP_DEBUG_TRACE, "certificateExactNormalize: %s\n",
                 normalized->bv_val, NULL, NULL );
  
+       rc = LDAP_SUCCESS;
+
  done:
         if (xcert) X509_free(xcert);
         if (serial) ch_free(serial);
@@ -2608,7 +3579,7 @@ generalizedTimeNormalize(
                 return rc;
         }
  
-       len = sizeof("YYYYmmddHHMMSSZ")-1 + fraction.bv_len;
+       len = STRLENOF("YYYYmmddHHMMSSZ") + fraction.bv_len;
         normalized->bv_val = slap_sl_malloc( len + 1, ctx );
         if ( BER_BVISNULL( normalized ) ) {
                 return LBER_ERROR_MEMORY;
@@ -2618,9 +3589,9 @@ generalizedTimeNormalize(
                 parts[0], parts[1], parts[2] + 1, parts[3] + 1,
                 parts[4], parts[5], parts[6] );
         if ( !BER_BVISEMPTY( &fraction ) ) {
-               memcpy( normalized->bv_val + sizeof("YYYYmmddHHMMSSZ")-2,
+               memcpy( normalized->bv_val + STRLENOF("YYYYmmddHHMMSSZ")-1,
                         fraction.bv_val, fraction.bv_len );
-               normalized->bv_val[sizeof("YYYYmmddHHMMSSZ")-2] = '.';
+               normalized->bv_val[STRLENOF("YYYYmmddHHMMSSZ")-1] = '.';
         }
         strcpy( normalized->bv_val + len-1, "Z" );
         normalized->bv_len = len;
@@ -2662,7 +3633,6 @@ int generalizedTimeIndexer(
         void *ctx )
  {
         int i, j;
-       size_t slen, mlen;
         BerVarray keys;
         char tmp[5];
         BerValue bvtmp; /* 40 bit index */
@@ -3176,19 +4146,23 @@ static slap_syntax_defs_rec syntax_defs[] = {
         {"( 1.3.6.1.1.1.0.1  DESC 'RFC2307 Boot Parameter' )",
                 0, bootParameterValidate, NULL},
  
-       /* From PKIX *//* This OID is not published yet. */
-       {"( 1.2.826.0.1.3344810.7.1 DESC 'Certificate Serial Number and Issuer' )",
+       /* draft-zeilenga-ldap-x509 */
+       {"( 1.3.6.1.1.15.1 DESC 'Certificate Exact Assertion' )",
                 SLAP_SYNTAX_HIDE,
                 serialNumberAndIssuerValidate,
                 serialNumberAndIssuerPretty},
-
-#ifdef SLAPD_ACI_ENABLED
-       /* OpenLDAP Experimental Syntaxes */
-       {"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )",
-               SLAP_SYNTAX_HIDE,
-               UTF8StringValidate /* THIS WILL CHANGE FOR NEW ACI SYNTAX */,
-               NULL},
-#endif
+       {"( 1.3.6.1.1.15.2 DESC 'Certificate Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.3 DESC 'Certificate Pair Exact Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.4 DESC 'Certificate Pair Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.5 DESC 'Certificate List Exact Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.6 DESC 'Certificate List Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.7 DESC 'Algorithm Identifier' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
  
  #ifdef SLAPD_AUTHPASSWD
         /* needs updating */
@@ -3196,8 +4170,8 @@ static slap_syntax_defs_rec syntax_defs[] = {
                 SLAP_SYNTAX_HIDE, NULL, NULL},
  #endif
  
-       {"( 1.3.6.1.4.1.4203.666.2.6 DESC 'UUID' )",
-               SLAP_SYNTAX_HIDE, UUIDValidate, NULL},
+       {"( 1.3.6.1.1.16.1 DESC 'UUID' )",
+               0, UUIDValidate, UUIDPretty},
  
         {"( 1.3.6.1.4.1.4203.666.11.2.1 DESC 'CSN' )",
                 SLAP_SYNTAX_HIDE, csnValidate, NULL},
@@ -3205,6 +4179,13 @@ static slap_syntax_defs_rec syntax_defs[] = {
         /* OpenLDAP Void Syntax */
         {"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" ,
                 SLAP_SYNTAX_HIDE, inValidate, NULL},
+
+#ifdef SLAP_AUTHZ_SYNTAX
+       /* FIXME: OID is unused, but not registered yet */
+       {"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )",
+               SLAP_SYNTAX_HIDE, authzValidate, authzPretty},
+#endif /* SLAP_AUTHZ_SYNTAX */
+
         {NULL, 0, NULL, NULL}
  };
  
@@ -3247,17 +4228,18 @@ char *objectIdentifierFirstComponentMatchSyntaxes[] = {
   * 2.5.13.31*  directoryStringFirstComponentMatch
   * 2.5.13.32*  wordMatch
   * 2.5.13.33*  keywordMatch
- * 2.5.13.36   certificatePairExactMatch
- * 2.5.13.37   certificatePairMatch
- * 2.5.13.38   certificateListExactMatch
- * 2.5.13.39   certificateListMatch
- * 2.5.13.40   algorithmIdentifierMatch
+ * 2.5.13.36+  certificatePairExactMatch
+ * 2.5.13.37+  certificatePairMatch
+ * 2.5.13.38+  certificateListExactMatch
+ * 2.5.13.39+  certificateListMatch
+ * 2.5.13.40+  algorithmIdentifierMatch
   * 2.5.13.41*  storedPrefixMatch
   * 2.5.13.42   attributeCertificateMatch
   * 2.5.13.43   readerAndKeyIDMatch
   * 2.5.13.44   attributeIntegrityMatch
   *
   * (*) described in RFC 3698 (LDAP: Additional Matching Rules)
+ * (+) described in draft-zeilenga-ldap-x509
   */
  static slap_mrule_defs_rec mrule_defs[] = {
         /*
@@ -3371,7 +4353,7 @@ static slap_mrule_defs_rec mrule_defs[] = {
         {"( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' "
                 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )",
                 SLAP_MR_SUBSTR, directoryStringSyntaxes,
-               NULL, UTF8StringNormalize, octetStringSubstringsMatch,
+               NULL, UTF8StringNormalize, directoryStringSubstringsMatch,
                 octetStringSubstringsIndexer, octetStringSubstringsFilter,
                 "caseIgnoreMatch" },
  
@@ -3392,7 +4374,7 @@ static slap_mrule_defs_rec mrule_defs[] = {
         {"( 2.5.13.7 NAME 'caseExactSubstringsMatch' "
                 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )",
                 SLAP_MR_SUBSTR, directoryStringSyntaxes,
-               NULL, UTF8StringNormalize, octetStringSubstringsMatch,
+               NULL, UTF8StringNormalize, directoryStringSubstringsMatch,
                 octetStringSubstringsIndexer, octetStringSubstringsFilter,
                 "caseExactMatch" },
  
@@ -3501,7 +4483,7 @@ static slap_mrule_defs_rec mrule_defs[] = {
                 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )",
                 SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL,
                 NULL, uniqueMemberNormalize, uniqueMemberMatch,
-               NULL, NULL,
+               uniqueMemberIndexer, uniqueMemberFilter,
                 NULL },
  
         {"( 2.5.13.24 NAME 'protocolInformationMatch' "
@@ -3540,7 +4522,7 @@ static slap_mrule_defs_rec mrule_defs[] = {
                 NULL },
  
         {"( 2.5.13.34 NAME 'certificateExactMatch' "
-               "SYNTAX 1.2.826.0.1.3344810.7.1 )",
+               "SYNTAX 1.3.6.1.1.15.1 )",
                 SLAP_MR_EQUALITY | SLAP_MR_EXT, certificateExactMatchSyntaxes,
  #ifdef HAVE_TLS
                 NULL, certificateExactNormalize, octetStringMatch,
@@ -3551,14 +4533,9 @@ static slap_mrule_defs_rec mrule_defs[] = {
                 NULL },
  
         {"( 2.5.13.35 NAME 'certificateMatch' "
-               "SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )",
+               "SYNTAX 1.3.6.1.1.15.2 )",
                 SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL,
-#ifdef HAVE_TLS
-               NULL, NULL, octetStringMatch,
-               octetStringIndexer, octetStringFilter,
-#else
                 NULL, NULL, NULL, NULL, NULL,
-#endif
                 NULL },
  
         {"( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' "
@@ -3578,14 +4555,14 @@ static slap_mrule_defs_rec mrule_defs[] = {
         {"( 1.3.6.1.4.1.1466.109.114.3 NAME 'caseIgnoreIA5SubstringsMatch' "
                 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )",
                 SLAP_MR_SUBSTR, NULL,
-               NULL, IA5StringNormalize, octetStringSubstringsMatch,
+               NULL, IA5StringNormalize, directoryStringSubstringsMatch,
                 octetStringSubstringsIndexer, octetStringSubstringsFilter,
                 "caseIgnoreIA5Match" },
  
         {"( 1.3.6.1.4.1.4203.1.2.1 NAME 'caseExactIA5SubstringsMatch' "
                 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )",
                 SLAP_MR_SUBSTR, NULL,
-               NULL, IA5StringNormalize, octetStringSubstringsMatch,
+               NULL, IA5StringNormalize, directoryStringSubstringsMatch,
                 octetStringSubstringsIndexer, octetStringSubstringsFilter,
                 "caseExactIA5Match" },
  
@@ -3599,15 +4576,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
                 NULL},
  #endif
  
-#ifdef SLAPD_ACI_ENABLED
-       {"( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' "
-               "SYNTAX 1.3.6.1.4.1.4203.666.2.1 )",
-               SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL,
-               NULL, NULL, OpenLDAPaciMatch,
-               NULL, NULL,
-               NULL},
-#endif
-
         {"( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' "
                 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )",
                 SLAP_MR_EXT, NULL,
@@ -3622,16 +4590,16 @@ static slap_mrule_defs_rec mrule_defs[] = {
                 NULL, NULL,
                 "integerMatch" },
  
-       {"( 1.3.6.1.4.1.4203.666.4.6 NAME 'UUIDMatch' "
-               "SYNTAX 1.3.6.1.4.1.4203.666.2.6 )",
-               SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL,
+       {"( 1.3.6.1.1.16.2 NAME 'UUIDMatch' "
+               "SYNTAX 1.3.6.1.1.16.1 )",
+               SLAP_MR_EQUALITY | SLAP_MR_MUTATION_NORMALIZER, NULL,
                 NULL, UUIDNormalize, octetStringMatch,
                 octetStringIndexer, octetStringFilter,
                 NULL},
  
-       {"( 1.3.6.1.4.1.4203.666.4.7 NAME 'UUIDOrderingMatch' "
-               "SYNTAX 1.3.6.1.4.1.4203.666.2.6 )",
-               SLAP_MR_HIDE | SLAP_MR_ORDERING, NULL,
+       {"( 1.3.6.1.1.16.3 NAME 'UUIDOrderingMatch' "
+               "SYNTAX 1.3.6.1.1.16.1 )",
+               SLAP_MR_ORDERING | SLAP_MR_MUTATION_NORMALIZER, NULL,
                 NULL, UUIDNormalize, octetStringOrderingMatch,
                 octetStringIndexer, octetStringFilter,
                 "UUIDMatch"},
@@ -3650,6 +4618,16 @@ static slap_mrule_defs_rec mrule_defs[] = {
                 NULL, NULL,
                 "CSNMatch" },
  
+#ifdef SLAP_AUTHZ_SYNTAX
+       /* FIXME: OID is unused, but not registered yet */
+       {"( 1.3.6.1.4.1.4203.666.4.12 NAME 'authzMatch' "
+               "SYNTAX 1.3.6.1.4.1.4203.666.2.7 )",
+               SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL,
+               NULL, authzNormalize, authzMatch,
+               NULL, NULL,
+               NULL},
+#endif /* SLAP_AUTHZ_SYNTAX */
+
         {NULL, SLAP_MR_NONE, NULL,
                 NULL, NULL, NULL, NULL, NULL,
                 NULL }
@@ -3708,4 +4686,7 @@ schema_destroy( void )
         mr_destroy();
         mru_destroy();
         syn_destroy();
+
+       ldap_pvt_thread_mutex_destroy( &ad_undef_mutex );
+       ldap_pvt_thread_mutex_destroy( &oc_undef_mutex );
  }