]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/schema_init.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
add support for auditContext (schema differs a bit from <draft-chu-ldap-logschema...
[openldap] / servers / slapd / schema_init.c
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 505a375c519f2c83cd83a11e45edad2d13c9681b..69c93f270d9306d9f68f9b55d49b2d4d2fa5c38b 100644 (file)
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -67,10 +67,8 @@
 #define csnIndexer                             generalizedTimeIndexer
 #define csnFilter                              generalizedTimeFilter
 
-#ifdef SLAP_AUTHZ_SYNTAX
 /* FIXME: temporary */
 #define authzMatch                             octetStringMatch
-#endif /* SLAP_AUTHZ_SYNTAX */
 
 unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT;
 unsigned int index_substr_if_maxlen = SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT;
@@ -712,11 +710,14 @@ bitStringValidate(
                return LDAP_INVALID_SYNTAX;
        }
 
-       /*
-        * RFC 2252 section 6.3 Bit String
-        *      bitstring = "'" *binary-digit "'B"
-        *      binary-digit = "0" / "1"
-        * example: '0101111101'B
+       /* RFC 4517 Section 3.3.2 Bit String:
+     * BitString    = SQUOTE *binary-digit SQUOTE "B"
+     * binary-digit = "0" / "1"
+        *
+        * where SQUOTE [RFC4512] is
+        *      SQUOTE  = %x27 ; single quote ("'")
+        *
+        * Example: '0101111101'B
         */
        
        if( in->bv_val[0] != '\'' ||
@@ -736,39 +737,7 @@ bitStringValidate(
 }
 
 /*
- * Syntax is [RFC2252]:
- *
-
-6.3. Bit String
-
-   ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )
-
-   Values in this syntax are encoded according to the following BNF:
-
-      bitstring = "'" *binary-digit "'B"
-
-      binary-digit = "0" / "1"
-
-   ... 
-
-6.21. Name And Optional UID
-
-   ( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )
-
-   Values in this syntax are encoded according to the following BNF:
-
-      NameAndOptionalUID = DistinguishedName [ "#" bitstring ]
-
-   Although the '#' character may occur in a string representation of a
-   distinguished name, no additional special quoting is done.  This
-   syntax has been added subsequent to RFC 1778.
-
-   Example:
-
-      1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB#'0101'B
-
- *
- * draft-ietf-ldapbis-syntaxes-xx.txt says:
+ * Syntaxes from RFC 4517
  *
 
 3.3.2.  Bit String
@@ -826,7 +795,7 @@ bitStringValidate(
    [X.520].
 
  *
- * draft-ietf-ldapbis-models-xx.txt [MODELS] says:
+ * RFC 4512 says:
  *
 
 1.4. Common ABNF Productions
@@ -844,11 +813,11 @@ bitStringValidate(
  * 
  * 1.3.6.1.4.1.1466.0=#04024869,o=test,c=gb#'101'B
  * 
- * Since draft-ietf-ldapbis-dn-xx.txt clarifies that SHARP,
- * i.e. "#", doesn't have to be escaped except when at the
- * beginning of a value, the definition of Name and Optional
- * UID appears to be flawed, because there is no clear means
- * to determine whether the UID part is present or not.
+ * RFC 4514 clarifies that SHARP, i.e. "#", doesn't have to
+ * be escaped except when at the beginning of a value, the
+ * definition of Name and Optional UID appears to be flawed,
+ * because there is no clear means to determine whether the
+ * UID part is present or not.
  *
  * Example:
  *
@@ -1010,7 +979,7 @@ uniqueMemberNormalize(
        struct berval out;
        int rc;
 
-       assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ));
+       assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ) != 0 );
 
        ber_dupbv_x( &out, val, ctx );
        if ( BER_BVISEMPTY( &out ) ) {
@@ -1294,7 +1263,7 @@ Summary:
 
   TelephoneNumber      subset  subset  i + ignore all spaces and "-"
 
-  See draft-ietf-ldapbis-strpro for details (once published).
+  See RFC 4518 for details.
 
 
 Directory String -
@@ -1423,7 +1392,7 @@ UTF8StringNormalize(
        int flags;
        int i, wasspace;
 
-       assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ));
+       assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ) != 0 );
 
        if( BER_BVISNULL( val ) ) {
                /* assume we're dealing with a syntax (e.g., UTF8String)
@@ -1854,7 +1823,7 @@ telephoneNumberNormalize(
 {
        char *p, *q;
 
-       assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ));
+       assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ) != 0 );
 
        /* validator should have refused an empty string */
        assert( !BER_BVISEMPTY( val ) );
@@ -2101,11 +2070,12 @@ IA5StringNormalize(
        void *ctx )
 {
        char *p, *q;
-       int casefold = !SLAP_MR_ASSOCIATED(mr, slap_schema.si_mr_caseExactIA5Match);
+       int casefold = !SLAP_MR_ASSOCIATED( mr,
+               slap_schema.si_mr_caseExactIA5Match );
 
        assert( !BER_BVISEMPTY( val ) );
 
-       assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ));
+       assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ) != 0 );
 
        p = val->bv_val;
 
@@ -2188,6 +2158,56 @@ UUIDValidate(
 }
 
 static int
+UUIDPretty(
+       Syntax *syntax,
+       struct berval *in,
+       struct berval *out,
+       void *ctx )
+{
+       int i;
+       int rc=LDAP_INVALID_SYNTAX;
+
+       assert( in != NULL );
+       assert( out != NULL );
+
+       if( in->bv_len != 36 ) return LDAP_INVALID_SYNTAX;
+
+       out->bv_len = 36;
+       out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
+
+       for( i=0; i<36; i++ ) {
+               switch(i) {
+                       case 8:
+                       case 13:
+                       case 18:
+                       case 23:
+                               if( in->bv_val[i] != '-' ) {
+                                       goto handle_error;
+                               }
+                               out->bv_val[i] = '-';
+                               break;
+
+                       default:
+                               if( !ASCII_HEX( in->bv_val[i]) ) {
+                                       goto handle_error;
+                               }
+                               out->bv_val[i] = TOLOWER( in->bv_val[i] );
+               }
+       }
+
+       rc = LDAP_SUCCESS;
+       out->bv_val[ out->bv_len ] = '\0';
+
+       if( 0 ) {
+handle_error:
+               slap_sl_free( out->bv_val, ctx );
+               out->bv_val = NULL;
+       }
+
+       return rc;
+}
+
+int
 UUIDNormalize(
        slap_mask_t usage,
        Syntax *syntax,
@@ -2304,16 +2324,11 @@ numericStringNormalize(
  * Integer conversion macros that will use the largest available
  * type.
  */
-#if defined(HAVE_STRTOLL) && defined(LLONG_MAX) \
-       && defined(LLONG_MIN) && defined(HAVE_LONG_LONG)
+#if defined(HAVE_STRTOLL) && defined(HAVE_LONG_LONG)
 # define SLAP_STRTOL(n,e,b)  strtoll(n,e,b) 
-# define SLAP_LONG_MAX       LLONG_MAX
-# define SLAP_LONG_MIN       LLONG_MIN
 # define SLAP_LONG           long long
 #else
 # define SLAP_STRTOL(n,e,b)  strtol(n,e,b)
-# define SLAP_LONG_MAX       LONG_MAX
-# define SLAP_LONG_MIN       LONG_MIN
 # define SLAP_LONG           long
 #endif /* HAVE_STRTOLL ... */
 
@@ -2328,18 +2343,17 @@ integerBitAndMatch(
 {
        SLAP_LONG lValue, lAssertedValue;
 
+       errno = 0;
        /* safe to assume integers are NUL terminated? */
        lValue = SLAP_STRTOL(value->bv_val, NULL, 10);
-       if(( lValue == SLAP_LONG_MIN || lValue == SLAP_LONG_MAX) &&
-               errno == ERANGE )
+       if( errno == ERANGE )
        {
                return LDAP_CONSTRAINT_VIOLATION;
        }
 
        lAssertedValue = SLAP_STRTOL(((struct berval *)assertedValue)->bv_val,
                NULL, 10);
-       if(( lAssertedValue == SLAP_LONG_MIN || lAssertedValue == SLAP_LONG_MAX ) &&
-               errno == ERANGE )
+       if( errno == ERANGE )
        {
                return LDAP_CONSTRAINT_VIOLATION;
        }
@@ -2359,18 +2373,17 @@ integerBitOrMatch(
 {
        SLAP_LONG lValue, lAssertedValue;
 
+       errno = 0;
        /* safe to assume integers are NUL terminated? */
        lValue = SLAP_STRTOL(value->bv_val, NULL, 10);
-       if(( lValue == SLAP_LONG_MIN || lValue == SLAP_LONG_MAX ) &&
-               errno == ERANGE )
+       if( errno == ERANGE )
        {
                return LDAP_CONSTRAINT_VIOLATION;
        }
 
        lAssertedValue = SLAP_STRTOL( ((struct berval *)assertedValue)->bv_val,
                NULL, 10);
-       if(( lAssertedValue == SLAP_LONG_MIN || lAssertedValue == SLAP_LONG_MAX ) &&
-               errno == ERANGE )
+       if( errno == ERANGE )
        {
                return LDAP_CONSTRAINT_VIOLATION;
        }
@@ -2387,94 +2400,522 @@ serialNumberAndIssuerValidate(
        int rc;
        ber_len_t n;
        struct berval sn, i;
+
+       Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerValidate: <%s>\n",
+               in->bv_val, 0, 0 );
+
        if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
 
-       i.bv_val = ber_bvchr( in, '$' );
-       if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+       if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+               /* Parse old format */
+               i.bv_val = ber_bvchr( in, '$' );
+               if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+
+               sn.bv_val = in->bv_val;
+               sn.bv_len = i.bv_val - in->bv_val;
+
+               i.bv_val++;
+               i.bv_len = in->bv_len - (sn.bv_len + 1);
 
-       sn.bv_val = in->bv_val;
-       sn.bv_len = i.bv_val - in->bv_val;
+               /* eat leading zeros */
+               for( n=0; n < (sn.bv_len-1); n++ ) {
+                       if( sn.bv_val[n] != '0' ) break;
+               }
+               sn.bv_val += n;
+               sn.bv_len -= n;
+
+               for( n=0; n < sn.bv_len; n++ ) {
+                       if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+               }
 
-       i.bv_val++;
-       i.bv_len = in->bv_len - (sn.bv_len + 1);
+       } else {
+               /* Parse GSER format */ 
+               int havesn=0,haveissuer=0;
+               struct berval x = *in;
+               x.bv_val++;
+               x.bv_len-=2;
+
+               /* eat leading spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
 
-       /* validate serial number (strict for now) */
-       for( n=0; n < sn.bv_len; n++ ) {
-               if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+               if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               /* should be at issuer or serialNumber NamedValue */
+               if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+                       if ( x.bv_len < STRLENOF(",serialNumber 0")) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       haveissuer++;
+
+               } else if( strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 )
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
+
+                       if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       havesn++;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
+               x.bv_val++; x.bv_len--;
+
+               /* eat spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should be at remaining NamedValue */
+               if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
+                       STRLENOF("issuer" )) == 0 ))
+               {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                                /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+               } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 ))
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len;
+                       x.bv_len -= sn.bv_len;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               /* eat trailing spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should have no characters left... */
+               if( x.bv_len ) return LDAP_INVALID_SYNTAX;
        }
 
-       /* validate DN */
+       /* validate DN -- doesn't handle double dquote */ 
        rc = dnValidate( NULL, &i );
        if( rc ) return LDAP_INVALID_SYNTAX;
 
+       Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerValidate: OKAY\n",
+               in->bv_val, 0, 0 );
        return LDAP_SUCCESS;
 }
 
 int
 serialNumberAndIssuerPretty(
        Syntax *syntax,
-       struct berval *val,
+       struct berval *in,
        struct berval *out,
        void *ctx )
 {
        int rc;
        ber_len_t n;
-       struct berval sn, i, newi;
+       struct berval sn, i, ni;
 
-       assert( val != NULL );
+       assert( in != NULL );
        assert( out != NULL );
 
        Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerPretty: <%s>\n",
-               val->bv_val, 0, 0 );
+               in->bv_val, 0, 0 );
 
-       if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+       if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+
+       if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+               /* Parse old format */
+               i.bv_val = ber_bvchr( in, '$' );
+               if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+
+               sn.bv_val = in->bv_val;
+               sn.bv_len = i.bv_val - in->bv_val;
+
+               i.bv_val++;
+               i.bv_len = in->bv_len - (sn.bv_len + 1);
+
+               /* eat leading zeros */
+               for( n=0; n < (sn.bv_len-1); n++ ) {
+                       if( sn.bv_val[n] != '0' ) break;
+               }
+               sn.bv_val += n;
+               sn.bv_len -= n;
+
+               for( n=0; n < sn.bv_len; n++ ) {
+                       if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+               }
+
+       } else {
+               /* Parse GSER format */ 
+               int havesn=0,haveissuer=0;
+               struct berval x = *in;
+               x.bv_val++;
+               x.bv_len-=2;
+
+               /* eat leading spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
+                       return LDAP_INVALID_SYNTAX;
+               }
+
+               /* should be at issuer or serialNumber NamedValue */
+               if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+                       if ( x.bv_len < STRLENOF(",serialNumber 0")) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       haveissuer++;
+
+               } else if( strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 )
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
+
+                       if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       havesn++;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
+               x.bv_val++; x.bv_len--;
+
+               /* eat spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should be at remaining NamedValue */
+               if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
+                       STRLENOF("issuer" )) == 0 ))
+               {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                                /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+               } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 ))
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
 
-       i.bv_val = ber_bvchr( val, '$' );
-       if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
 
-       sn.bv_val = val->bv_val;
-       sn.bv_len = i.bv_val - val->bv_val;
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
 
-       i.bv_val++;
-       i.bv_len = val->bv_len - (sn.bv_len + 1);
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
 
-       /* eat leading zeros */
-       for( n=0; n < (sn.bv_len-1); n++ ) {
-               if( sn.bv_val[n] != '0' ) break;
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len;
+                       x.bv_len -= sn.bv_len;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               /* eat trailing spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should have no characters left... */
+               if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+
+               ber_dupbv_x( &ni, &i, ctx );
+               i = ni;
+
+               /* need to handle double dquotes here */
        }
-       sn.bv_val += n;
-       sn.bv_len -= n;
 
-       for( n=0; n < sn.bv_len; n++ ) {
-               if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+       rc = dnPretty( syntax, &i, &ni, ctx );
+
+       if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+               slap_sl_free( i.bv_val, ctx );
        }
 
-       /* pretty DN */
-       rc = dnPretty( syntax, &i, &newi, ctx );
        if( rc ) return LDAP_INVALID_SYNTAX;
 
        /* make room from sn + "$" */
-       out->bv_len = sn.bv_len + newi.bv_len + 1;
-       out->bv_val = slap_sl_realloc( newi.bv_val, out->bv_len + 1, ctx );
+       out->bv_len = STRLENOF("{ serialNumber , issuer \"\" }")
+               + sn.bv_len + ni.bv_len;
+       out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
 
        if( out->bv_val == NULL ) {
                out->bv_len = 0;
-               slap_sl_free( newi.bv_val, ctx );
+               slap_sl_free( ni.bv_val, ctx );
                return LDAP_OTHER;
        }
 
-       /* push issuer over */
-       AC_MEMCPY( &out->bv_val[sn.bv_len+1], out->bv_val, newi.bv_len );
-       /* insert sn and "$" */
-       AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len );
-       out->bv_val[sn.bv_len] = '$';
-       /* terminate */
-       out->bv_val[out->bv_len] = '\0';
+       n = 0;
+       AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
+               STRLENOF("{ serialNumber "));
+       n = STRLENOF("{ serialNumber ");
+
+       AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
+       n += sn.bv_len;
+
+       AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF(", issuer \""));
+       n += STRLENOF(", issuer \"");
+
+       AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
+       n += ni.bv_len;
+
+       AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF("\" }"));
+       n += STRLENOF("\" }");
+
+       out->bv_val[n] = '\0';
+
+       assert( n == out->bv_len );
 
        Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s>\n",
                out->bv_val, 0, 0 );
 
-       return LDAP_SUCCESS;
+       slap_sl_free( ni.bv_val, ctx );
+
+       return LDAP_SUCCESS; 
 }
 
 /*
@@ -2488,70 +2929,287 @@ serialNumberAndIssuerNormalize(
        slap_mask_t usage,
        Syntax *syntax,
        MatchingRule *mr,
-       struct berval *val,
+       struct berval *in,
        struct berval *out,
        void *ctx )
 {
        int rc;
        ber_len_t n;
-       struct berval sn, i, newi;
+       struct berval sn, i, ni;
 
-       assert( val != NULL );
+       assert( in != NULL );
        assert( out != NULL );
 
        Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerNormalize: <%s>\n",
-               val->bv_val, 0, 0 );
+               in->bv_val, 0, 0 );
 
-       if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+       if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
 
-       i.bv_val = ber_bvchr( val, '$' );
-       if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+       if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+               /* Parse old format */
+               i.bv_val = ber_bvchr( in, '$' );
+               if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
 
-       sn.bv_val = val->bv_val;
-       sn.bv_len = i.bv_val - val->bv_val;
+               sn.bv_val = in->bv_val;
+               sn.bv_len = i.bv_val - in->bv_val;
 
-       i.bv_val++;
-       i.bv_len = val->bv_len - (sn.bv_len + 1);
+               i.bv_val++;
+               i.bv_len = in->bv_len - (sn.bv_len + 1);
 
-       /* eat leading zeros */
-       for( n=0; n < (sn.bv_len-1); n++ ) {
-               if( sn.bv_val[n] != '0' ) break;
-       }
-       sn.bv_val += n;
-       sn.bv_len -= n;
+               /* eat leading zeros */
+               for( n=0; n < (sn.bv_len-1); n++ ) {
+                       if( sn.bv_val[n] != '0' ) break;
+               }
+               sn.bv_val += n;
+               sn.bv_len -= n;
+
+               for( n=0; n < sn.bv_len; n++ ) {
+                       if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+               }
 
-       for( n=0; n < sn.bv_len; n++ ) {
-               if( !ASCII_DIGIT(sn.bv_val[n]) ) {
+       } else {
+               /* Parse GSER format */ 
+               int havesn=0,haveissuer=0;
+               struct berval x = *in;
+               x.bv_val++;
+               x.bv_len-=2;
+
+               /* eat leading spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
                        return LDAP_INVALID_SYNTAX;
                }
+
+               /* should be at issuer or serialNumber NamedValue */
+               if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+                       if ( x.bv_len < STRLENOF(",serialNumber 0")) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       haveissuer++;
+
+               } else if( strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 )
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
+
+                       if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       havesn++;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
+               x.bv_val++; x.bv_len--;
+
+               /* eat spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should be at remaining NamedValue */
+               if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
+                       STRLENOF("issuer" )) == 0 ))
+               {
+                       /* parse issuer */
+                       x.bv_val += STRLENOF("issuer");
+                       x.bv_len -= STRLENOF("issuer");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                                /* empty */;
+                       }
+                       
+                       if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       i.bv_val = x.bv_val;
+                       i.bv_len = 0;
+
+                       for( ; i.bv_len < x.bv_len; ) {
+                               if ( i.bv_val[i.bv_len] != '"' ) {
+                                       i.bv_len++;
+                                       continue;
+                               }
+                               if ( i.bv_val[i.bv_len+1] == '"' ) {
+                                       /* double dquote */
+                                       i.bv_len+=2;
+                                       continue;
+                               }
+                               break;
+                       }
+                       x.bv_val += i.bv_len+1;
+                       x.bv_len -= i.bv_len+1;
+
+               } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
+                       STRLENOF("serialNumber")) == 0 ))
+               {
+                       /* parse serialNumber */
+                       int neg=0;
+                       x.bv_val += STRLENOF("serialNumber");
+                       x.bv_len -= STRLENOF("serialNumber");
+
+                       if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+                       x.bv_val++; x.bv_len--;
+
+                       /* eat leading spaces */
+                       for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
+                               /* empty */;
+                       }
+                       
+                       sn.bv_val = x.bv_val;
+                       sn.bv_len = 0;
+
+                       if( sn.bv_val[0] == '-' ) {
+                               neg++;
+                               sn.bv_len++;
+                       }
+
+                       for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
+                               if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+                       }
+
+                       if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
+                       if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+
+                       x.bv_val += sn.bv_len;
+                       x.bv_len -= sn.bv_len;
+
+               } else return LDAP_INVALID_SYNTAX;
+
+               /* eat trailing spaces */
+               for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+                       /* empty */;
+               }
+
+               /* should have no characters left... */
+               if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+
+               ber_dupbv_x( &ni, &i, ctx );
+               i = ni;
+
+               /* need to handle double dquotes here */
+       }
+
+       rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx );
+
+       if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+               slap_sl_free( i.bv_val, ctx );
        }
 
-       /* pretty DN */
-       rc = dnNormalize( usage, syntax, mr, &i, &newi, ctx );
        if( rc ) return LDAP_INVALID_SYNTAX;
 
        /* make room from sn + "$" */
-       out->bv_len = sn.bv_len + newi.bv_len + 1;
-       out->bv_val = slap_sl_realloc( newi.bv_val, out->bv_len + 1, ctx );
+       out->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" )
+               + sn.bv_len + ni.bv_len;
+       out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
 
        if( out->bv_val == NULL ) {
                out->bv_len = 0;
-               slap_sl_free( newi.bv_val, ctx );
+               slap_sl_free( ni.bv_val, ctx );
                return LDAP_OTHER;
        }
 
-       /* push issuer over */
-       AC_MEMCPY( &out->bv_val[sn.bv_len+1], out->bv_val, newi.bv_len );
-       /* insert sn and "$" */
-       AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len );
-       out->bv_val[sn.bv_len] = '$';
-       /* terminate */
-       out->bv_val[out->bv_len] = '\0';
+       n = 0;
+       AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
+               STRLENOF( "{ serialNumber " ));
+       n = STRLENOF( "{ serialNumber " );
+
+       AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
+       n += sn.bv_len;
+
+       AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF( ", issuer \"" ));
+       n += STRLENOF( ", issuer \"" );
+
+       AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
+       n += ni.bv_len;
+
+       AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF( "\" }" ));
+       n += STRLENOF( "\" }" );
+
+       out->bv_val[n] = '\0';
+
+       assert( n == out->bv_len );
 
        Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n",
                out->bv_val, 0, 0 );
 
-       return rc;
+       slap_sl_free( ni.bv_val, ctx );
+
+       return LDAP_SUCCESS;
 }
 
 #ifdef HAVE_TLS
@@ -2579,7 +3237,7 @@ certificateExactNormalize(
                return serialNumberAndIssuerNormalize(0,NULL,NULL,val,normalized,ctx);
        }
 
-       assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) );
+       assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 );
 
        p = (unsigned char *)val->bv_val;
        xcert = d2i_X509( NULL, &p, val->bv_len);
@@ -2596,19 +3254,34 @@ certificateExactNormalize(
        rc = dnX509normalize( name, &issuer_dn );
        if( rc != LDAP_SUCCESS ) goto done;
 
-       normalized->bv_len = seriallen + issuer_dn.bv_len + 1;
+       normalized->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" )
+               + seriallen + issuer_dn.bv_len;
        normalized->bv_val = ch_malloc(normalized->bv_len+1);
+
        p = (unsigned char *)normalized->bv_val;
+
+       AC_MEMCPY(p, "{ serialNumber ", STRLENOF( "{ serialNumber " ));
+       p += STRLENOF( "{ serialNumber " );
+
        AC_MEMCPY(p, serial, seriallen);
        p += seriallen;
-       *p++ = '$';
+
+       AC_MEMCPY(p, ", issuer \"", STRLENOF( ", issuer \"" ));
+       p += STRLENOF( ", issuer \"" );
+
        AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len);
        p += issuer_dn.bv_len;
+
+       AC_MEMCPY(p, "\" }", STRLENOF( "\" }" ));
+       p += STRLENOF( "\" }" );
+
        *p = '\0';
 
        Debug( LDAP_DEBUG_TRACE, "certificateExactNormalize: %s\n",
                normalized->bv_val, NULL, NULL );
 
+       rc = LDAP_SUCCESS;
+
 done:
        if (xcert) X509_free(xcert);
        if (serial) ch_free(serial);
@@ -2868,7 +3541,7 @@ generalizedTimeNormalize(
                return rc;
        }
 
-       len = sizeof("YYYYmmddHHMMSSZ")-1 + fraction.bv_len;
+       len = STRLENOF("YYYYmmddHHMMSSZ") + fraction.bv_len;
        normalized->bv_val = slap_sl_malloc( len + 1, ctx );
        if ( BER_BVISNULL( normalized ) ) {
                return LBER_ERROR_MEMORY;
@@ -2878,9 +3551,9 @@ generalizedTimeNormalize(
                parts[0], parts[1], parts[2] + 1, parts[3] + 1,
                parts[4], parts[5], parts[6] );
        if ( !BER_BVISEMPTY( &fraction ) ) {
-               memcpy( normalized->bv_val + sizeof("YYYYmmddHHMMSSZ")-2,
+               memcpy( normalized->bv_val + STRLENOF("YYYYmmddHHMMSSZ")-1,
                        fraction.bv_val, fraction.bv_len );
-               normalized->bv_val[sizeof("YYYYmmddHHMMSSZ")-2] = '.';
+               normalized->bv_val[STRLENOF("YYYYmmddHHMMSSZ")-1] = '.';
        }
        strcpy( normalized->bv_val + len-1, "Z" );
        normalized->bv_len = len;
@@ -3435,11 +4108,23 @@ static slap_syntax_defs_rec syntax_defs[] = {
        {"( 1.3.6.1.1.1.0.1  DESC 'RFC2307 Boot Parameter' )",
                0, bootParameterValidate, NULL},
 
-       /* From PKIX *//* This OID is not published yet. */
-       {"( 1.2.826.0.1.3344810.7.1 DESC 'Certificate Serial Number and Issuer' )",
+       /* draft-zeilenga-ldap-x509 */
+       {"( 1.3.6.1.1.15.1 DESC 'Certificate Exact Assertion' )",
                SLAP_SYNTAX_HIDE,
                serialNumberAndIssuerValidate,
                serialNumberAndIssuerPretty},
+       {"( 1.3.6.1.1.15.2 DESC 'Certificate Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.3 DESC 'Certificate Pair Exact Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.4 DESC 'Certificate Pair Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.5 DESC 'Certificate List Exact Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.6 DESC 'Certificate List Assertion' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
+       {"( 1.3.6.1.1.15.7 DESC 'Algorithm Identifier' )",
+               SLAP_SYNTAX_HIDE, NULL, NULL},
 
 #ifdef SLAPD_AUTHPASSWD
        /* needs updating */
@@ -3448,7 +4133,7 @@ static slap_syntax_defs_rec syntax_defs[] = {
 #endif
 
        {"( 1.3.6.1.1.16.1 DESC 'UUID' )",
-               0, UUIDValidate, NULL},
+               0, UUIDValidate, UUIDPretty},
 
        {"( 1.3.6.1.4.1.4203.666.11.2.1 DESC 'CSN' )",
                SLAP_SYNTAX_HIDE, csnValidate, NULL},
@@ -3457,11 +4142,9 @@ static slap_syntax_defs_rec syntax_defs[] = {
        {"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" ,
                SLAP_SYNTAX_HIDE, inValidate, NULL},
 
-#ifdef SLAP_AUTHZ_SYNTAX
        /* FIXME: OID is unused, but not registered yet */
        {"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )",
                SLAP_SYNTAX_HIDE, authzValidate, authzPretty},
-#endif /* SLAP_AUTHZ_SYNTAX */
 
        {NULL, 0, NULL, NULL}
 };
@@ -3482,13 +4165,13 @@ char *directoryStringSyntaxes[] = {
 };
 char *integerFirstComponentMatchSyntaxes[] = {
        "1.3.6.1.4.1.1466.115.121.1.27" /* INTEGER */,
-       "1.3.6.1.4.1.1466.115.121.1.17" /* ditStructureRuleDescription */,
+       "1.3.6.1.4.1.1466.115.121.1.17" /* dITStructureRuleDescription */,
        NULL
 };
 char *objectIdentifierFirstComponentMatchSyntaxes[] = {
        "1.3.6.1.4.1.1466.115.121.1.38" /* OID */,
        "1.3.6.1.4.1.1466.115.121.1.3"  /* attributeTypeDescription */,
-       "1.3.6.1.4.1.1466.115.121.1.16" /* ditContentRuleDescription */,
+       "1.3.6.1.4.1.1466.115.121.1.16" /* dITContentRuleDescription */,
        "1.3.6.1.4.1.1466.115.121.1.54" /* ldapSyntaxDescription */,
        "1.3.6.1.4.1.1466.115.121.1.30" /* matchingRuleDescription */,
        "1.3.6.1.4.1.1466.115.121.1.31" /* matchingRuleUseDescription */,
@@ -3505,17 +4188,18 @@ char *objectIdentifierFirstComponentMatchSyntaxes[] = {
  * 2.5.13.31*  directoryStringFirstComponentMatch
  * 2.5.13.32*  wordMatch
  * 2.5.13.33*  keywordMatch
- * 2.5.13.36   certificatePairExactMatch
- * 2.5.13.37   certificatePairMatch
- * 2.5.13.38   certificateListExactMatch
- * 2.5.13.39   certificateListMatch
- * 2.5.13.40   algorithmIdentifierMatch
+ * 2.5.13.36+  certificatePairExactMatch
+ * 2.5.13.37+  certificatePairMatch
+ * 2.5.13.38+  certificateListExactMatch
+ * 2.5.13.39+  certificateListMatch
+ * 2.5.13.40+  algorithmIdentifierMatch
  * 2.5.13.41*  storedPrefixMatch
  * 2.5.13.42   attributeCertificateMatch
  * 2.5.13.43   readerAndKeyIDMatch
  * 2.5.13.44   attributeIntegrityMatch
  *
  * (*) described in RFC 3698 (LDAP: Additional Matching Rules)
+ * (+) described in draft-zeilenga-ldap-x509
  */
 static slap_mrule_defs_rec mrule_defs[] = {
        /*
@@ -3798,7 +4482,7 @@ static slap_mrule_defs_rec mrule_defs[] = {
                NULL },
 
        {"( 2.5.13.34 NAME 'certificateExactMatch' "
-               "SYNTAX 1.2.826.0.1.3344810.7.1 )",
+               "SYNTAX 1.3.6.1.1.15.1 )",
                SLAP_MR_EQUALITY | SLAP_MR_EXT, certificateExactMatchSyntaxes,
 #ifdef HAVE_TLS
                NULL, certificateExactNormalize, octetStringMatch,
@@ -3809,14 +4493,9 @@ static slap_mrule_defs_rec mrule_defs[] = {
                NULL },
 
        {"( 2.5.13.35 NAME 'certificateMatch' "
-               "SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )",
+               "SYNTAX 1.3.6.1.1.15.2 )",
                SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL,
-#ifdef HAVE_TLS
-               NULL, NULL, octetStringMatch,
-               octetStringIndexer, octetStringFilter,
-#else
                NULL, NULL, NULL, NULL, NULL,
-#endif
                NULL },
 
        {"( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' "
@@ -3873,14 +4552,14 @@ static slap_mrule_defs_rec mrule_defs[] = {
 
        {"( 1.3.6.1.1.16.2 NAME 'UUIDMatch' "
                "SYNTAX 1.3.6.1.1.16.1 )",
-               SLAP_MR_EQUALITY, NULL,
+               SLAP_MR_EQUALITY | SLAP_MR_MUTATION_NORMALIZER, NULL,
                NULL, UUIDNormalize, octetStringMatch,
                octetStringIndexer, octetStringFilter,
                NULL},
 
        {"( 1.3.6.1.1.16.3 NAME 'UUIDOrderingMatch' "
                "SYNTAX 1.3.6.1.1.16.1 )",
-               SLAP_MR_ORDERING, NULL,
+               SLAP_MR_ORDERING | SLAP_MR_MUTATION_NORMALIZER, NULL,
                NULL, UUIDNormalize, octetStringOrderingMatch,
                octetStringIndexer, octetStringFilter,
                "UUIDMatch"},
@@ -3899,7 +4578,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
                NULL, NULL,
                "CSNMatch" },
 
-#ifdef SLAP_AUTHZ_SYNTAX
        /* FIXME: OID is unused, but not registered yet */
        {"( 1.3.6.1.4.1.4203.666.4.12 NAME 'authzMatch' "
                "SYNTAX 1.3.6.1.4.1.4203.666.2.7 )",
@@ -3907,7 +4585,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
                NULL, authzNormalize, authzMatch,
                NULL, NULL,
                NULL},
-#endif /* SLAP_AUTHZ_SYNTAX */
 
        {NULL, SLAP_MR_NONE, NULL,
                NULL, NULL, NULL, NULL, NULL,
@@ -3968,6 +4645,8 @@ schema_destroy( void )
        mru_destroy();
        syn_destroy();
 
-       ldap_pvt_thread_mutex_destroy( &ad_undef_mutex );
-       ldap_pvt_thread_mutex_destroy( &oc_undef_mutex );
+       if( schema_init_done ) {
+               ldap_pvt_thread_mutex_destroy( &ad_undef_mutex );
+               ldap_pvt_thread_mutex_destroy( &oc_undef_mutex );
+       }
 }
Cloned from git://git.openldap.org/openldap.git