X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=051e4a6fb4ace6f12a3614915d89552ae188d208;hb=298d439d596b198a3e96e4885dc80a9aba5e64be;hp=bca6db91c2db94ede075ce1c2f829d9b68af1446;hpb=3356017b936e0947cfc5dbd7a108ecd9c1c145a1;p=openldap

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index bca6db91c2..051e4a6fb4 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -52,13 +52,15 @@ char *style_strings[] = {
 	"users",
 	"self",
 	"ip",
+	"ipv6",
 	"path",
 	NULL
 };
 
 static void		split(char *line, int splitchar, char **left, char **right);
 static void		access_append(Access **l, Access *a);
-static void		acl_usage(void) LDAP_GCCATTR((noreturn));
+static void		access_free( Access *a );
+static int		acl_usage(void);
 
 static void		acl_regex_normalized_dn(const char *src, struct berval *pat);
 
@@ -70,17 +72,24 @@ static int		check_scope( BackendDB *be, AccessControl *a );
 
 #ifdef SLAP_DYNACL
 static int
-slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
+slap_dynacl_config(
+	const char *fname,
+	int lineno,
+	Access *b,
+	const char *name,
+	const char *opts,
+	slap_style_t sty,
+	const char *right )
 {
 	slap_dynacl_t	*da, *tmp;
 	int		rc = 0;
 
 	for ( da = b->a_dynacl; da; da = da->da_next ) {
 		if ( strcasecmp( da->da_name, name ) == 0 ) {
-			fprintf( stderr,
+			Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: dynacl \"%s\" already specified.\n",
 				fname, lineno, name );
-			acl_usage();
+			return acl_usage();
 		}
 	}
 
@@ -93,7 +102,7 @@ slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name,
 	*tmp = *da;
 
 	if ( tmp->da_parse ) {
-		rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
+		rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
 		if ( rc ) {
 			ch_free( tmp );
 			return rc;
@@ -112,8 +121,8 @@ regtest(const char *fname, int lineno, char *pat) {
 	int e;
 	regex_t re;
 
-	char buf[512];
-	unsigned size;
+	char		buf[ SLAP_TEXT_BUFLEN ];
+	unsigned	size;
 
 	char *sp;
 	char *dp;
@@ -144,19 +153,26 @@ regtest(const char *fname, int lineno, char *pat) {
 
 	*dp = '\0';
 	if ( size >= (sizeof(buf) - 1) ) {
-		fprintf( stderr,
+		Debug( LDAP_DEBUG_ANY,
 			"%s: line %d: regular expression \"%s\" too large\n",
 			fname, lineno, pat );
-		acl_usage();
+		(void)acl_usage();
+		exit( EXIT_FAILURE );
 	}
 
 	if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
-		char error[512];
+		char error[ SLAP_TEXT_BUFLEN ];
+
 		regerror(e, &re, error, sizeof(error));
-		fprintf( stderr,
-			"%s: line %d: regular expression \"%s\" bad because of %s\n",
-			fname, lineno, pat, error );
+
+		snprintf( buf, sizeof( buf ),
+			"regular expression \"%s\" bad because of %s",
+			pat, error );
+		Debug( LDAP_DEBUG_ANY,
+			"%s: line %d: %s\n",
+			fname, lineno, buf );
 		acl_usage();
+		exit( EXIT_FAILURE );
 	}
 	regfree(&re);
 }
@@ -176,7 +192,7 @@ regtest(const char *fname, int lineno, char *pat) {
 static int
 check_scope( BackendDB *be, AccessControl *a )
 {
-	int		patlen;
+	ber_len_t	patlen;
 	struct berval	dn;
 
 	dn = be->be_nsuffix[0];
@@ -245,7 +261,8 @@ regex_done:;
 			 * more than one level between the suffix
 			 * and the pattern */
 			if ( style == ACL_STYLE_ONE ) {
-				int	rdnlen = -1, sep = 0;
+				ber_len_t	rdnlen = 0;
+				int		sep = 0;
 
 				if ( patlen > 0 ) {
 					if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
@@ -300,32 +317,31 @@ regex_done:;
 	return ACL_SCOPE_UNKNOWN;
 }
 
-void
+int
 parse_acl(
-    Backend	*be,
-    const char	*fname,
-    int		lineno,
-    int		argc,
-    char	**argv,
+	Backend	*be,
+	const char	*fname,
+	int		lineno,
+	int		argc,
+	char		**argv,
 	int		pos )
 {
 	int		i;
-	char		*left, *right, *style, *next;
+	char		*left, *right, *style;
 	struct berval	bv;
-	AccessControl	*a;
-	Access	*b;
+	AccessControl	*a = NULL;
+	Access	*b = NULL;
 	int rc;
 	const char *text;
 
-	a = NULL;
 	for ( i = 1; i < argc; i++ ) {
 		/* to clause - select which entries are protected */
 		if ( strcasecmp( argv[i], "to" ) == 0 ) {
 			if ( a != NULL ) {
-				fprintf( stderr, "%s: line %d: "
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 					"only one to clause allowed in access line\n",
-				    fname, lineno );
-				acl_usage();
+				    fname, lineno, 0 );
+				goto fail;
 			}
 			a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
 			for ( ++i; i < argc; i++ ) {
@@ -338,11 +354,11 @@ parse_acl(
 					if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
 						a->acl_dn_style != ACL_STYLE_REGEX )
 					{
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: dn pattern"
 							" already specified in to clause.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
@@ -353,21 +369,21 @@ parse_acl(
 				split( left, '.', &left, &style );
 
 				if ( right == NULL ) {
-					fprintf( stderr, "%s: line %d: "
+					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 						"missing \"=\" in \"%s\" in to clause\n",
 					    fname, lineno, left );
-					acl_usage();
+					goto fail;
 				}
 
 				if ( strcasecmp( left, "dn" ) == 0 ) {
 					if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
 						a->acl_dn_style != ACL_STYLE_REGEX )
 					{
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: dn pattern"
 							" already specified in to clause.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					if ( style == NULL || *style == '\0' ||
@@ -422,10 +438,10 @@ parse_acl(
 						}
 
 					} else {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"unknown dn style \"%s\" in to clause\n",
 						    fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					continue;
@@ -433,42 +449,51 @@ parse_acl(
 
 				if ( strcasecmp( left, "filter" ) == 0 ) {
 					if ( (a->acl_filter = str2filter( right )) == NULL ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: bad filter \"%s\" in to clause\n",
 						    fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 
 				} else if ( strcasecmp( left, "attr" ) == 0		/* TOLERATED */
 						|| strcasecmp( left, "attrs" ) == 0 )	/* DOCUMENTED */
 				{
+					if ( strcasecmp( left, "attr" ) == 0 ) {
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: \"attr\" "
+							"is deprecated (and undocumented); "
+							"use \"attrs\" instead.\n",
+							fname, lineno, 0 );
+					}
+
 					a->acl_attrs = str2anlist( a->acl_attrs,
 						right, "," );
 					if ( a->acl_attrs == NULL ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: unknown attr \"%s\" in to clause\n",
 						    fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 
 				} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
-					char	*mr;
+					struct berval	bv;
+					char		*mr;
 					
 					if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: attr val already specified in to clause.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 					if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
 					{
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: attr val requires a single attribute.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
-					ber_str2bv( right, 0, 1, &a->acl_attrval );
+					ber_str2bv( right, 0, 0, &bv );
 					a->acl_attrval_style = ACL_STYLE_BASE;
 
 					mr = strchr( left, '/' );
@@ -478,34 +503,45 @@ parse_acl(
 
 						a->acl_attrval_mr = mr_find( mr );
 						if ( a->acl_attrval_mr == NULL ) {
-							fprintf( stderr, "%s: line %d: "
+							Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 								"invalid matching rule \"%s\".\n",
 								fname, lineno, mr );
-							acl_usage();
+							goto fail;
 						}
 
 						if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
 						{
-							fprintf( stderr, "%s: line %d: "
+							char	buf[ SLAP_TEXT_BUFLEN ];
+
+							snprintf( buf, sizeof( buf ),
 								"matching rule \"%s\" use "
-								"with attr \"%s\" not appropriate.\n",
-								fname, lineno, mr,
-								a->acl_attrs[ 0 ].an_name.bv_val );
-							acl_usage();
+								"with attr \"%s\" not appropriate.",
+								mr, a->acl_attrs[ 0 ].an_name.bv_val );
+								
+
+							Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+								fname, lineno, buf );
+							goto fail;
 						}
 					}
 					
 					if ( style != NULL ) {
 						if ( strcasecmp( style, "regex" ) == 0 ) {
-							int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
+							int e = regcomp( &a->acl_attrval_re, bv.bv_val,
 								REG_EXTENDED | REG_ICASE | REG_NOSUB );
 							if ( e ) {
-								char buf[512];
-								regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
-								fprintf( stderr, "%s: line %d: "
-									"regular expression \"%s\" bad because of %s\n",
-									fname, lineno, right, buf );
-								acl_usage();
+								char	err[SLAP_TEXT_BUFLEN],
+									buf[ SLAP_TEXT_BUFLEN ];
+
+								regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
+
+								snprintf( buf, sizeof( buf ),
+									"regular expression \"%s\" bad because of %s",
+									right, err );
+
+								Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+									fname, lineno, buf );
+								goto fail;
 							}
 							a->acl_attrval_style = ACL_STYLE_REGEX;
 
@@ -519,8 +555,6 @@ parse_acl(
 							} else if ( a->acl_attrs[0].an_desc->ad_type->
 								sat_syntax == slap_schema.si_syn_distinguishedName )
 							{
-								struct berval	bv;
-
 								if ( !strcasecmp( style, "baseObject" ) ||
 									!strcasecmp( style, "base" ) )
 								{
@@ -536,57 +570,95 @@ parse_acl(
 								} else if ( !strcasecmp( style, "children" ) ) {
 									a->acl_attrval_style = ACL_STYLE_CHILDREN;
 								} else {
-									fprintf( stderr, 
-										"%s: line %d: unknown val.<style> \"%s\" "
-										"for attributeType \"%s\" with DN syntax; "
-										"using \"base\"\n",
-										fname, lineno, style,
+									char	buf[ SLAP_TEXT_BUFLEN ];
+
+									snprintf( buf, sizeof( buf ),
+										"unknown val.<style> \"%s\" for attributeType \"%s\" "
+											"with DN syntax.",
+										style,
 										a->acl_attrs[0].an_desc->ad_cname.bv_val );
-									a->acl_attrval_style = ACL_STYLE_BASE;
+
+									Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, 
+										"%s: line %d: %s\n",
+										fname, lineno, buf );
+									goto fail;
 								}
 
-								bv = a->acl_attrval;
 								rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
 								if ( rc != LDAP_SUCCESS ) {
-									fprintf( stderr, 
-										"%s: line %d: unable to normalize DN \"%s\" "
-										"for attributeType \"%s\" (%d).\n",
-										fname, lineno, bv.bv_val,
-										a->acl_attrs[0].an_desc->ad_cname.bv_val, rc );
-									acl_usage();
+									char	buf[ SLAP_TEXT_BUFLEN ];
+
+									snprintf( buf, sizeof( buf ),
+										"unable to normalize DN \"%s\" "
+										"for attributeType \"%s\" (%d).",
+										bv.bv_val,
+										a->acl_attrs[0].an_desc->ad_cname.bv_val,
+										rc );
+									Debug( LDAP_DEBUG_ANY, 
+										"%s: line %d: %s\n",
+										fname, lineno, buf );
+									goto fail;
 								}
-								ber_memfree( bv.bv_val );
 
 							} else {
-								fprintf( stderr, 
-									"%s: line %d: unknown val.<style> \"%s\" "
-									"for attributeType \"%s\"; using \"exact\"\n",
-									fname, lineno, style,
-									a->acl_attrs[0].an_desc->ad_cname.bv_val );
-								a->acl_attrval_style = ACL_STYLE_BASE;
+								char	buf[ SLAP_TEXT_BUFLEN ];
+
+								snprintf( buf, sizeof( buf ),
+									"unknown val.<style> \"%s\" for attributeType \"%s\".",
+									style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
+								Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, 
+									"%s: line %d: %s\n",
+									fname, lineno, buf );
+								goto fail;
 							}
 						}
 					}
 
 					/* Check for appropriate matching rule */
-					if ( a->acl_attrval_style != ACL_STYLE_REGEX ) {
+					if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
+						ber_dupbv( &a->acl_attrval, &bv );
+
+					} else if ( BER_BVISNULL( &a->acl_attrval ) ) {
+						int		rc;
+						const char	*text;
+
 						if ( a->acl_attrval_mr == NULL ) {
 							a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
 						}
 
 						if ( a->acl_attrval_mr == NULL ) {
-							fprintf( stderr, "%s: line %d: "
-								"attr \"%s\" must have an EQUALITY matching rule.\n",
+							Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+								"attr \"%s\" does not have an EQUALITY matching rule.\n",
 								fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
-							acl_usage();
+							goto fail;
+						}
+
+						rc = asserted_value_validate_normalize(
+							a->acl_attrs[ 0 ].an_desc,
+							a->acl_attrval_mr,
+							SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
+							&bv,
+							&a->acl_attrval,
+							&text,
+							NULL );
+						if ( rc != LDAP_SUCCESS ) {
+							char	buf[ SLAP_TEXT_BUFLEN ];
+
+							snprintf( buf, sizeof( buf ), "%s: line %d: "
+								" attr \"%s\" normalization failed (%d: %s)",
+								fname, lineno,
+								a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
+							Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
+								fname, lineno, buf );
+							goto fail;
 						}
 					}
 
 				} else {
-					fprintf( stderr,
+					Debug( LDAP_DEBUG_ANY,
 						"%s: line %d: expecting <what> got \"%s\"\n",
 					    fname, lineno, left );
-					acl_usage();
+					goto fail;
 				}
 			}
 
@@ -605,10 +677,10 @@ parse_acl(
 					struct berval bv;
 					rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
 					if ( rc != LDAP_SUCCESS ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: bad DN \"%s\" in to DN clause\n",
 							fname, lineno, a->acl_dn_pat.bv_val );
-						acl_usage();
+						goto fail;
 					}
 					free( a->acl_dn_pat.bv_val );
 					a->acl_dn_pat = bv;
@@ -617,12 +689,16 @@ parse_acl(
 					int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
 						REG_EXTENDED | REG_ICASE );
 					if ( e ) {
-						char buf[512];
-						regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
-						fprintf( stderr, "%s: line %d: "
-							"regular expression \"%s\" bad because of %s\n",
-							fname, lineno, right, buf );
-						acl_usage();
+						char	err[ SLAP_TEXT_BUFLEN ],
+							buf[ SLAP_TEXT_BUFLEN ];
+
+						regerror( e, &a->acl_dn_re, err, sizeof( err ) );
+						snprintf( buf, sizeof( buf ),
+							"regular expression \"%s\" bad because of %s",
+							right, err );
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+							fname, lineno, buf );
+						goto fail;
 					}
 				}
 			}
@@ -630,27 +706,27 @@ parse_acl(
 		/* by clause - select who has what access to entries */
 		} else if ( strcasecmp( argv[i], "by" ) == 0 ) {
 			if ( a == NULL ) {
-				fprintf( stderr, "%s: line %d: "
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 					"to clause required before by clause in access line\n",
-				    fname, lineno );
-				acl_usage();
+					fname, lineno, 0 );
+				goto fail;
 			}
 
 			/*
 			 * by clause consists of <who> and <access>
 			 */
 
+			if ( ++i == argc ) {
+				Debug( LDAP_DEBUG_ANY,
+					"%s: line %d: premature EOL: expecting <who>\n",
+					fname, lineno, 0 );
+				goto fail;
+			}
+
 			b = (Access *) ch_calloc( 1, sizeof(Access) );
 
 			ACL_INVALIDATE( b->a_access_mask );
 
-			if ( ++i == argc ) {
-				fprintf( stderr,
-			    "%s: line %d: premature eol: expecting <who>\n",
-				    fname, lineno );
-				acl_usage();
-			}
-
 			/* get <who> */
 			for ( ; i < argc; i++ ) {
 				slap_style_t	sty = ACL_STYLE_REGEX;
@@ -671,17 +747,17 @@ parse_acl(
 						if ( style_level != NULL ) {
 							char *p = strchr( style_level, '}' );
 							if ( p == NULL ) {
-								fprintf( stderr,
+								Debug( LDAP_DEBUG_ANY,
 									"%s: line %d: premature eol: "
 									"expecting closing '}' in \"level{n}\"\n",
-									fname, lineno );
-								acl_usage();
+									fname, lineno, 0 );
+								goto fail;
 							} else if ( p == style_level ) {
-								fprintf( stderr,
+								Debug( LDAP_DEBUG_ANY,
 									"%s: line %d: empty level "
 									"in \"level{n}\"\n",
-									fname, lineno );
-								acl_usage();
+									fname, lineno, 0 );
+								goto fail;
 							}
 							p[0] = '\0';
 						}
@@ -710,15 +786,12 @@ parse_acl(
 
 				} else if ( strcasecmp( style, "level" ) == 0 )
 				{
-					char	*next;
-
-					level = strtol( style_level, &next, 10 );
-					if ( next[0] != '\0' ) {
-						fprintf( stderr,
+					if ( lutil_atoi( &level, style_level ) != 0 ) {
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: unable to parse level "
 							"in \"level{n}\"\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					sty = ACL_STYLE_LEVEL;
@@ -732,19 +805,29 @@ parse_acl(
 				} else if ( strcasecmp( style, "ip" ) == 0 ) {
 					sty = ACL_STYLE_IP;
 
+				} else if ( strcasecmp( style, "ipv6" ) == 0 ) {
+#ifndef LDAP_PF_INET6
+					Debug( LDAP_DEBUG_ANY,
+						"%s: line %d: IPv6 not supported\n",
+						fname, lineno, 0 );
+#endif /* ! LDAP_PF_INET6 */
+					sty = ACL_STYLE_IPV6;
+
 				} else if ( strcasecmp( style, "path" ) == 0 ) {
 					sty = ACL_STYLE_PATH;
 #ifndef LDAP_PF_LOCAL
-					fprintf( stderr, "%s: line %d: "
-						"path style modifier is useless without local\n",
-						fname, lineno );
+					Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
+						"%s: line %d: "
+						"\"path\" style modifier is useless without local.\n",
+						fname, lineno, 0 );
+					goto fail;
 #endif /* LDAP_PF_LOCAL */
 
 				} else {
-					fprintf( stderr,
+					Debug( LDAP_DEBUG_ANY,
 						"%s: line %d: unknown style \"%s\" in by clause\n",
-					    fname, lineno, style );
-					acl_usage();
+						fname, lineno, style );
+					goto fail;
 				}
 
 				if ( style_modifier &&
@@ -752,29 +835,13 @@ parse_acl(
 				{
 					switch ( sty ) {
 					case ACL_STYLE_REGEX:
-						fprintf( stderr, "%s: line %d: "
-							"\"regex\" style implies "
-							"\"expand\" modifier" 
-							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-							fname, lineno );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
-						acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"\"regex\" style implies \"expand\" modifier.\n",
+							fname, lineno, 0 );
+						goto fail;
 						break;
 
 					case ACL_STYLE_EXPAND:
-#if 0
-						/* FIXME: now it's legal... */
-						fprintf( stderr, "%s: line %d: "
-							"\"expand\" style used "
-							"in conjunction with "
-							"\"expand\" modifier"
-							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-							fname, lineno );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
-						acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
-#endif
 						break;
 
 					default:
@@ -788,11 +855,10 @@ parse_acl(
 				if ( ( sty == ACL_STYLE_EXPAND || expand )
 						&& a->acl_dn_style != ACL_STYLE_REGEX )
 				{
-					fprintf( stderr, "%s: line %d: "
-						"\"expand\" style or modifier used "
-						"in conjunction with "
-						"a non-regex <what> clause\n",
-						fname, lineno );
+					Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: \"expand\" style "
+						"or modifier used in conjunction with a non-regex <what> clause.\n",
+						fname, lineno, 0 );
+						goto fail;
 				}
 
 				if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
@@ -803,7 +869,7 @@ parse_acl(
 
 				if ( strcasecmp( left, "*" ) == 0 ) {
 					if ( is_realdn ) {
-						acl_usage();
+						goto fail;
 					}
 
 					ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
@@ -877,11 +943,11 @@ parse_acl(
 						}
 
 					} else if ( right == NULL || *right == '\0' ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause\n",
-						    fname, lineno, left );
-						acl_usage();
+							fname, lineno, left );
+						goto fail;
 
 					} else {
 						ber_str2bv( right, 0, 1, &bv );
@@ -893,10 +959,10 @@ parse_acl(
 
 				if ( !BER_BVISNULL( &bv ) ) {
 					if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
-						fprintf( stderr,
-						    "%s: line %d: dn pattern already specified.\n",
-						    fname, lineno );
-						acl_usage();
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: dn pattern already specified.\n",
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					if ( sty != ACL_STYLE_REGEX &&
@@ -908,12 +974,22 @@ parse_acl(
 						rc = dnNormalize(0, NULL, NULL,
 							&bv, &bdn->a_pat, NULL);
 						if ( rc != LDAP_SUCCESS ) {
-							fprintf( stderr,
+							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: bad DN \"%s\" in by DN clause\n",
 								fname, lineno, bv.bv_val );
-							acl_usage();
+							goto fail;
 						}
 						free( bv.bv_val );
+						if ( sty == ACL_STYLE_BASE
+							&& be != NULL
+							&& !BER_BVISNULL( &be->be_rootndn )
+							&& dn_match( &bdn->a_pat, &be->be_rootndn ) )
+						{
+							Debug( LDAP_DEBUG_ANY,
+								"%s: line %d: rootdn is always granted "
+								"unlimited privileges.\n",
+								fname, lineno, 0 );
+						}
 
 					} else {
 						bdn->a_pat = bv;
@@ -924,10 +1000,11 @@ parse_acl(
 						int	gotit = 0;
 
 						for ( exp = strchr( bdn->a_pat.bv_val, '$' );
-								exp && exp - bdn->a_pat.bv_val < bdn->a_pat.bv_len;
-								exp = strchr( exp, '$' ) )
+							exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
+								< bdn->a_pat.bv_len;
+							exp = strchr( exp, '$' ) )
 						{
-							if ( isdigit( exp[ 1 ] ) ) {
+							if ( isdigit( (unsigned char) exp[ 1 ] ) ) {
 								gotit = 1;
 								break;
 							}
@@ -937,14 +1014,10 @@ parse_acl(
 							bdn->a_expand = expand;
 
 						} else {
-							fprintf( stderr,
-								"%s: line %d: \"expand\" used "
-								"with no expansions in \"pattern\""
-								SLAPD_CONF_UNKNOWN_IGNORED ".\n",
-								fname, lineno );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
-							acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+							Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+								"\"expand\" used with no expansions in \"pattern\".\n",
+								fname, lineno, 0 );
+							goto fail;
 						} 
 					}
 					if ( sty == ACL_STYLE_SELF ) {
@@ -952,21 +1025,21 @@ parse_acl(
 
 					} else {
 						if ( level < 0 ) {
-							fprintf( stderr,
+							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: bad negative level \"%d\" "
 								"in by DN clause\n",
 								fname, lineno, level );
-							acl_usage();
+							goto fail;
 						} else if ( level == 1 ) {
-							fprintf( stderr,
+							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: \"onelevel\" should be used "
 								"instead of \"level{1}\" in by DN clause\n",
-								fname, lineno );
+								fname, lineno, 0 );
 						} else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
-							fprintf( stderr,
+							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: \"base\" should be used "
 								"instead of \"level{0}\" in by DN clause\n",
-								fname, lineno );
+								fname, lineno, 0 );
 						}
 
 						bdn->a_level = level;
@@ -976,27 +1049,32 @@ parse_acl(
 
 				if ( strcasecmp( left, "dnattr" ) == 0 ) {
 					if ( right == NULL || right[0] == '\0' ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause\n",
 							fname, lineno, left );
-						acl_usage();
+						goto fail;
 					}
 
 					if( bdn->a_at != NULL ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: dnattr already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					rc = slap_str2ad( right, &bdn->a_at, &text );
 
 					if( rc != LDAP_SUCCESS ) {
-						fprintf( stderr,
-							"%s: line %d: dnattr \"%s\": %s\n",
-							fname, lineno, right, text );
-						acl_usage();
+						char	buf[ SLAP_TEXT_BUFLEN ];
+
+						snprintf( buf, sizeof( buf ),
+							"dnattr \"%s\": %s",
+							right, text );
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: %s\n",
+							fname, lineno, buf );
+						goto fail;
 					}
 
 
@@ -1005,20 +1083,25 @@ parse_acl(
 						!is_at_syntax( bdn->a_at->ad_type,
 						SLAPD_NAMEUID_SYNTAX ))
 					{
-						fprintf( stderr,
-							"%s: line %d: dnattr \"%s\": "
+						char	buf[ SLAP_TEXT_BUFLEN ];
+
+						snprintf( buf, sizeof( buf ),
+							"dnattr \"%s\": "
 							"inappropriate syntax: %s\n",
-							fname, lineno, right,
+							right,
 							bdn->a_at->ad_type->sat_syntax_oid );
-						acl_usage();
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: %s\n",
+							fname, lineno, buf );
+						goto fail;
 					}
 
 					if( bdn->a_at->ad_type->sat_equality == NULL ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: dnattr \"%s\": "
 							"inappropriate matching (no EQUALITY)\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 
 					continue;
@@ -1031,10 +1114,11 @@ parse_acl(
 					switch ( sty ) {
 					case ACL_STYLE_REGEX:
 						/* legacy, tolerated */
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
+							"%s: line %d: "
 							"deprecated group style \"regex\"; "
-							"use \"expand\" instead\n",
-							fname, lineno );
+							"use \"expand\" instead.\n",
+							fname, lineno, 0 );
 						sty = ACL_STYLE_EXPAND;
 						break;
 
@@ -1046,25 +1130,27 @@ parse_acl(
 
 					default:
 						/* unknown */
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: "
 							"missing \"=\" in (or value after) \"%s\" "
-							"in by clause\n",
+							"in by clause.\n",
 							fname, lineno, left );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: group pattern already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					/* format of string is
@@ -1089,10 +1175,10 @@ parse_acl(
 						rc = dnNormalize( 0, NULL, NULL, &bv,
 							&b->a_group_pat, NULL );
 						if ( rc != LDAP_SUCCESS ) {
-							fprintf( stderr,
-								"%s: line %d: bad DN \"%s\"\n",
+							Debug( LDAP_DEBUG_ANY,
+								"%s: line %d: bad DN \"%s\".\n",
 								fname, lineno, right );
-							acl_usage();
+							goto fail;
 						}
 					}
 
@@ -1101,53 +1187,58 @@ parse_acl(
 						*--value = '/';
 
 						if ( b->a_group_oc == NULL ) {
-							fprintf( stderr,
+							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: group objectclass "
-								"\"%s\" unknown\n",
+								"\"%s\" unknown.\n",
 								fname, lineno, value );
-							acl_usage();
+							goto fail;
 						}
 
 					} else {
 						b->a_group_oc = oc_find( SLAPD_GROUP_CLASS );
 
 						if( b->a_group_oc == NULL ) {
-							fprintf( stderr,
+							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: group default objectclass "
-								"\"%s\" unknown\n",
+								"\"%s\" unknown.\n",
 								fname, lineno, SLAPD_GROUP_CLASS );
-							acl_usage();
+							goto fail;
 						}
 					}
 
 					if ( is_object_subclass( slap_schema.si_oc_referral,
 						b->a_group_oc ) )
 					{
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: group objectclass \"%s\" "
-							"is subclass of referral\n",
+							"is subclass of referral.\n",
 							fname, lineno, value );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( is_object_subclass( slap_schema.si_oc_alias,
 						b->a_group_oc ) )
 					{
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: group objectclass \"%s\" "
-							"is subclass of alias\n",
+							"is subclass of alias.\n",
 							fname, lineno, value );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( name && *name ) {
 						rc = slap_str2ad( name, &b->a_group_at, &text );
 
 						if( rc != LDAP_SUCCESS ) {
-							fprintf( stderr,
-								"%s: line %d: group \"%s\": %s\n",
-								fname, lineno, right, text );
-							acl_usage();
+							char	buf[ SLAP_TEXT_BUFLEN ];
+
+							snprintf( buf, sizeof( buf ),
+								"group \"%s\": %s.",
+								right, text );
+							Debug( LDAP_DEBUG_ANY,
+								"%s: line %d: %s\n",
+								fname, lineno, buf );
+							goto fail;
 						}
 						*--name = '/';
 
@@ -1155,10 +1246,15 @@ parse_acl(
 						rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
 
 						if ( rc != LDAP_SUCCESS ) {
-							fprintf( stderr,
-								"%s: line %d: group \"%s\": %s\n",
-								fname, lineno, SLAPD_GROUP_ATTR, text );
-							acl_usage();
+							char	buf[ SLAP_TEXT_BUFLEN ];
+
+							snprintf( buf, sizeof( buf ),
+								"group \"%s\": %s.",
+								SLAPD_GROUP_ATTR, text );
+							Debug( LDAP_DEBUG_ANY,
+								"%s: line %d: %s\n",
+								fname, lineno, buf );
+							goto fail;
 						}
 					}
 
@@ -1168,31 +1264,39 @@ parse_acl(
 						SLAPD_NAMEUID_SYNTAX ) &&
 						!is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
 					{
-						fprintf( stderr,
-							"%s: line %d: group \"%s\": inappropriate syntax: %s\n",
-							fname, lineno, right,
+						char	buf[ SLAP_TEXT_BUFLEN ];
+
+						snprintf( buf, sizeof( buf ),
+							"group \"%s\": inappropriate syntax: %s.",
+							right,
 							b->a_group_at->ad_type->sat_syntax_oid );
-						acl_usage();
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: %s\n",
+							fname, lineno, buf );
+						goto fail;
 					}
 
 
 					{
 						int rc;
-						struct berval vals[2];
+						ObjectClass *ocs[2];
 
-						ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
-						BER_BVZERO( &vals[1] );
+						ocs[0] = b->a_group_oc;
+						ocs[1] = NULL;
 
 						rc = oc_check_allowed( b->a_group_at->ad_type,
-							vals, NULL );
+							ocs, NULL );
 
 						if( rc != 0 ) {
-							fprintf( stderr, "%s: line %d: "
-								"group: \"%s\" not allowed by \"%s\"\n",
-								fname, lineno,
+							char	buf[ SLAP_TEXT_BUFLEN ];
+
+							snprintf( buf, sizeof( buf ),
+								"group: \"%s\" not allowed by \"%s\".",
 								b->a_group_at->ad_cname.bv_val,
 								b->a_group_oc->soc_oid );
-							acl_usage();
+							Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+								fname, lineno, buf );
+							goto fail;
 						}
 					}
 					continue;
@@ -1206,30 +1310,31 @@ parse_acl(
 					case ACL_STYLE_EXPAND:
 						/* cheap replacement to regex for simple expansion */
 					case ACL_STYLE_IP:
+					case ACL_STYLE_IPV6:
 					case ACL_STYLE_PATH:
 						/* legal, peername specific */
 						break;
 
 					default:
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 						    fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"missing \"=\" in (or value after) \"%s\" "
-							"in by clause\n",
+							"in by clause.\n",
 							fname, lineno, left );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"peername pattern already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					b->a_peername_style = sty;
@@ -1254,10 +1359,10 @@ parse_acl(
 							b->a_peername_addr = inet_addr( addr );
 							if ( b->a_peername_addr == (unsigned long)(-1) ) {
 								/* illegal address */
-								fprintf( stderr, "%s: line %d: "
+								Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 									"illegal peername address \"%s\".\n",
 									fname, lineno, addr );
-								acl_usage();
+								goto fail;
 							}
 
 							b->a_peername_mask = (unsigned long)(-1);
@@ -1267,11 +1372,11 @@ parse_acl(
 									(unsigned long)(-1) )
 								{
 									/* illegal mask */
-									fprintf( stderr, "%s: line %d: "
+									Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 										"illegal peername address mask "
 										"\"%s\".\n",
 										fname, lineno, mask );
-									acl_usage();
+									goto fail;
 								}
 							} 
 
@@ -1280,15 +1385,61 @@ parse_acl(
 								char	*end = NULL;
 
 								b->a_peername_port = strtol( port, &end, 10 );
-								if ( end[0] != '}' ) {
+								if ( end == port || end[0] != '}' ) {
+									/* illegal port */
+									Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+										"illegal peername port specification "
+										"\"{%s}\".\n",
+										fname, lineno, port );
+									goto fail;
+								}
+							}
+
+#ifdef LDAP_PF_INET6
+						} else if ( sty == ACL_STYLE_IPV6 ) {
+							char		*addr = NULL,
+									*mask = NULL,
+									*port = NULL;
+
+							split( right, '{', &addr, &port );
+							split( addr, '%', &addr, &mask );
+
+							if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) {
+								/* illegal address */
+								Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+									"illegal peername address \"%s\".\n",
+									fname, lineno, addr );
+								goto fail;
+							}
+
+							if ( mask == NULL ) {
+								mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF";
+							}
+
+							if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) {
+								/* illegal mask */
+								Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+									"illegal peername address mask "
+									"\"%s\".\n",
+									fname, lineno, mask );
+								goto fail;
+							}
+
+							b->a_peername_port = -1;
+							if ( port ) {
+								char	*end = NULL;
+
+								b->a_peername_port = strtol( port, &end, 10 );
+								if ( end == port || end[0] != '}' ) {
 									/* illegal port */
-									fprintf( stderr, "%s: line %d: "
+									Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 										"illegal peername port specification "
 										"\"{%s}\".\n",
 										fname, lineno, port );
-									acl_usage();
+									goto fail;
 								}
 							}
+#endif /* LDAP_PF_INET6 */
 						}
 					}
 					continue;
@@ -1305,25 +1456,25 @@ parse_acl(
 
 					default:
 						/* unknown */
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
 						    fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause\n",
 							fname, lineno, left );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"sockname pattern already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					b->a_sockname_style = sty;
@@ -1351,11 +1502,11 @@ parse_acl(
 					case ACL_STYLE_EXPAND:
 						/* tolerated: means exact,expand */
 						if ( expand ) {
-							fprintf( stderr,
+							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: "
 								"\"expand\" modifier "
-								"with \"expand\" style\n",
-								fname, lineno );
+								"with \"expand\" style.\n",
+								fname, lineno, 0 );
 						}
 						sty = ACL_STYLE_BASE;
 						expand = 1;
@@ -1363,25 +1514,25 @@ parse_acl(
 
 					default:
 						/* unknown */
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 						    fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"missing \"=\" in (or value after) \"%s\" "
-							"in by clause\n",
+							"in by clause.\n",
 							fname, lineno, left );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: domain pattern already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					b->a_domain_style = sty;
@@ -1410,25 +1561,25 @@ parse_acl(
 
 					default:
 						/* unknown */
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 						    fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"missing \"=\" in (or value after) \"%s\" "
-							"in by clause\n",
+							"in by clause.\n",
 							fname, lineno, left );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: sockurl pattern already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					b->a_sockurl_style = sty;
@@ -1449,11 +1600,12 @@ parse_acl(
 					switch ( sty ) {
 						/* deprecated */
 					case ACL_STYLE_REGEX:
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
+							"%s: line %d: "
 							"deprecated set style "
 							"\"regex\" in <by> clause; "
-							"use \"expand\" instead\n",
-							fname, lineno );
+							"use \"expand\" instead.\n",
+							fname, lineno, 0 );
 						sty = ACL_STYLE_EXPAND;
 						/* FALLTHRU */
 						
@@ -1462,24 +1614,24 @@ parse_acl(
 						break;
 
 					default:
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: set attribute already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
-						fprintf( stderr,
-							"%s: line %d: no set is defined\n",
-							fname, lineno );
-						acl_usage();
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: no set is defined.\n",
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					b->a_set_style = sty;
@@ -1490,225 +1642,189 @@ parse_acl(
 
 #ifdef SLAP_DYNACL
 				{
-					char		*name = NULL;
-					
+					char		*name = NULL,
+							*opts = NULL;
+
+#if 1 /* tolerate legacy "aci" <who> */
 					if ( strcasecmp( left, "aci" ) == 0 ) {
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"undocumented deprecated \"aci\" directive "
+							"is superseded by \"dynacl/aci\".\n",
+							fname, lineno, 0 );
 						name = "aci";
 						
-					} else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
+					} else
+#endif /* tolerate legacy "aci" <who> */
+					if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
 						name = &left[ STRLENOF( "dynacl/" ) ];
+						opts = strchr( name, '/' );
+						if ( opts ) {
+							opts[ 0 ] = '\0';
+							opts++;
+						}
 					}
 
 					if ( name ) {
-						if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
-							fprintf( stderr, "%s: line %d: "
-								"unable to configure dynacl \"%s\"\n",
+						if ( slap_dynacl_config( fname, lineno, b, name, opts, sty, right ) ) {
+							Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+								"unable to configure dynacl \"%s\".\n",
 								fname, lineno, name );
-							acl_usage();
+							goto fail;
 						}
 
 						continue;
 					}
 				}
-#else /* ! SLAP_DYNACL */
-
-#ifdef SLAPD_ACI_ENABLED
-				if ( strcasecmp( left, "aci" ) == 0 ) {
-					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
-						    fname, lineno, style );
-						acl_usage();
-					}
-
-					if( b->a_aci_at != NULL ) {
-						fprintf( stderr,
-							"%s: line %d: aci attribute already specified.\n",
-							fname, lineno );
-						acl_usage();
-					}
-
-					if ( right != NULL && *right != '\0' ) {
-						rc = slap_str2ad( right, &b->a_aci_at, &text );
-
-						if( rc != LDAP_SUCCESS ) {
-							fprintf( stderr,
-								"%s: line %d: aci \"%s\": %s\n",
-								fname, lineno, right, text );
-							acl_usage();
-						}
-
-					} else {
-						b->a_aci_at = slap_schema.si_ad_aci;
-					}
-
-					if( !is_at_syntax( b->a_aci_at->ad_type,
-						SLAPD_ACI_SYNTAX) )
-					{
-						fprintf( stderr, "%s: line %d: "
-							"aci \"%s\": inappropriate syntax: %s\n",
-							fname, lineno, right,
-							b->a_aci_at->ad_type->sat_syntax_oid );
-						acl_usage();
-					}
-
-					continue;
-				}
-#endif /* SLAPD_ACI_ENABLED */
-#endif /* ! SLAP_DYNACL */
+#endif /* SLAP_DYNACL */
 
 				if ( strcasecmp( left, "ssf" ) == 0 ) {
 					if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 						    fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( b->a_authz.sai_ssf ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: ssf attribute already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
-						fprintf( stderr,
-							"%s: line %d: no ssf is defined\n",
-							fname, lineno );
-						acl_usage();
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: no ssf is defined.\n",
+							fname, lineno, 0 );
+						goto fail;
 					}
 
-					b->a_authz.sai_ssf = strtol( right, &next, 10 );
-					if ( next == NULL || next[0] != '\0' ) {
-						fprintf( stderr,
-							"%s: line %d: unable to parse ssf value (%s)\n",
+					if ( lutil_atou( &b->a_authz.sai_ssf, right ) != 0 ) {
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: unable to parse ssf value (%s).\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !b->a_authz.sai_ssf ) {
-						fprintf( stderr,
-							"%s: line %d: invalid ssf value (%s)\n",
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: invalid ssf value (%s).\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 					continue;
 				}
 
 				if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
 					if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( b->a_authz.sai_transport_ssf ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"transport_ssf attribute already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
-						fprintf( stderr,
-							"%s: line %d: no transport_ssf is defined\n",
-							fname, lineno );
-						acl_usage();
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: no transport_ssf is defined.\n",
+							fname, lineno, 0 );
+						goto fail;
 					}
 
-					b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
-					if ( next == NULL || next[0] != '\0' ) {
-						fprintf( stderr, "%s: line %d: "
-							"unable to parse transport_ssf value (%s)\n",
+					if ( lutil_atou( &b->a_authz.sai_transport_ssf, right ) != 0 ) {
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"unable to parse transport_ssf value (%s).\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !b->a_authz.sai_transport_ssf ) {
-						fprintf( stderr,
-							"%s: line %d: invalid transport_ssf value (%s)\n",
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: invalid transport_ssf value (%s).\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 					continue;
 				}
 
 				if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
 					if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( b->a_authz.sai_tls_ssf ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"tls_ssf attribute already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
-						fprintf( stderr,
+						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: no tls_ssf is defined\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
-					b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
-					if ( next == NULL || next[0] != '\0' ) {
-						fprintf( stderr, "%s: line %d: "
-							"unable to parse tls_ssf value (%s)\n",
+					if ( lutil_atou( &b->a_authz.sai_tls_ssf, right ) != 0 ) {
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"unable to parse tls_ssf value (%s).\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !b->a_authz.sai_tls_ssf ) {
-						fprintf( stderr,
-							"%s: line %d: invalid tls_ssf value (%s)\n",
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: invalid tls_ssf value (%s).\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 					continue;
 				}
 
 				if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
 					if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
-						fprintf( stderr, "%s: line %d: "
-							"inappropriate style \"%s\" in by clause\n",
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( b->a_authz.sai_sasl_ssf ) {
-						fprintf( stderr, "%s: line %d: "
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"sasl_ssf attribute already specified.\n",
-							fname, lineno );
-						acl_usage();
+							fname, lineno, 0 );
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
-						fprintf( stderr,
-							"%s: line %d: no sasl_ssf is defined\n",
-							fname, lineno );
-						acl_usage();
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: no sasl_ssf is defined.\n",
+							fname, lineno, 0 );
+						goto fail;
 					}
 
-					b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
-					if ( next == NULL || next[0] != '\0' ) {
-						fprintf( stderr, "%s: line %d: "
-							"unable to parse sasl_ssf value (%s)\n",
+					if ( lutil_atou( &b->a_authz.sai_sasl_ssf, right ) != 0 ) {
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+							"unable to parse sasl_ssf value (%s).\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 
 					if ( !b->a_authz.sai_sasl_ssf ) {
-						fprintf( stderr,
-							"%s: line %d: invalid sasl_ssf value (%s)\n",
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: invalid sasl_ssf value (%s).\n",
 							fname, lineno, right );
-						acl_usage();
+						goto fail;
 					}
 					continue;
 				}
@@ -1724,6 +1840,7 @@ parse_acl(
 				/* out of arguments or plain stop */
 
 				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+				ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
 				b->a_type = ACL_STOP;
 
 				access_append( &a->acl_access, b );
@@ -1734,6 +1851,7 @@ parse_acl(
 				/* plain continue */
 
 				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+				ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
 				b->a_type = ACL_CONTINUE;
 
 				access_append( &a->acl_access, b );
@@ -1744,6 +1862,7 @@ parse_acl(
 				/* plain continue */
 
 				ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+				ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
 				b->a_type = ACL_BREAK;
 
 				access_append( &a->acl_access, b );
@@ -1754,6 +1873,7 @@ parse_acl(
 				/* we've gone too far */
 				--i;
 				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+				ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
 				b->a_type = ACL_STOP;
 
 				access_append( &a->acl_access, b );
@@ -1761,23 +1881,26 @@ parse_acl(
 			}
 
 			/* get <access> */
-			if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
-				b->a_dn_self = 1;
-				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
+			{
+				char	*lleft = left;
 
-			} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
-				b->a_realdn_self = 1;
-				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
+				if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
+					b->a_dn_self = 1;
+					lleft = &left[ STRLENOF( "self" ) ];
 
-			} else {
-				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
+				} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
+					b->a_realdn_self = 1;
+					lleft = &left[ STRLENOF( "realself" ) ];
+				}
+
+				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
 			}
 
 			if ( ACL_IS_INVALID( b->a_access_mask ) ) {
-				fprintf( stderr,
-					"%s: line %d: expecting <access> got \"%s\"\n",
+				Debug( LDAP_DEBUG_ANY,
+					"%s: line %d: expecting <access> got \"%s\".\n",
 					fname, lineno, left );
-				acl_usage();
+				goto fail;
 			}
 
 			b->a_type = ACL_STOP;
@@ -1802,74 +1925,82 @@ parse_acl(
 			}
 
 			access_append( &a->acl_access, b );
+			b = NULL;
 
 		} else {
-			fprintf( stderr,
+			Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: expecting \"to\" "
 				"or \"by\" got \"%s\"\n",
 				fname, lineno, argv[i] );
-			acl_usage();
+			goto fail;
 		}
 	}
 
 	/* if we have no real access clause, complain and do nothing */
 	if ( a == NULL ) {
-		fprintf( stderr, "%s: line %d: "
-			"warning: no access clause(s) specified in access line\n",
-			fname, lineno );
+		Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+			"warning: no access clause(s) specified in access line.\n",
+			fname, lineno, 0 );
+		goto fail;
 
 	} else {
 #ifdef LDAP_DEBUG
-		if ( ldap_debug & LDAP_DEBUG_ACL ) {
+		if ( slap_debug & LDAP_DEBUG_ACL ) {
 			print_acl( be, a );
 		}
 #endif
 	
 		if ( a->acl_access == NULL ) {
-			fprintf( stderr, "%s: line %d: "
-				"warning: no by clause(s) specified in access line\n",
-				fname, lineno );
+			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+				"warning: no by clause(s) specified in access line.\n",
+				fname, lineno, 0 );
+			goto fail;
 		}
 
 		if ( be != NULL ) {
-			if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
-				fprintf( stderr, "%s: line %d: warning: "
+			if ( be->be_nsuffix == NULL ) {
+				Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+					"scope checking needs suffix before ACLs.\n",
+					fname, lineno, 0 );
+				/* go ahead, since checking is not authoritative */
+			} else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
+				Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
 					"scope checking only applies to single-valued "
 					"suffix databases\n",
-					fname, lineno );
+					fname, lineno, 0 );
 				/* go ahead, since checking is not authoritative */
-			}
-
-			switch ( check_scope( be, a ) ) {
-			case ACL_SCOPE_UNKNOWN:
-				fprintf( stderr, "%s: line %d: warning: "
-					"cannot assess the validity of the ACL scope within "
-					"backend naming context\n",
-					fname, lineno );
-				break;
-
-			case ACL_SCOPE_WARN:
-				fprintf( stderr, "%s: line %d: warning: "
-					"ACL could be out of scope within backend naming context\n",
-					fname, lineno );
-				break;
+			} else {
+				switch ( check_scope( be, a ) ) {
+				case ACL_SCOPE_UNKNOWN:
+					Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+						"cannot assess the validity of the ACL scope within "
+						"backend naming context\n",
+						fname, lineno, 0 );
+					break;
 
-			case ACL_SCOPE_PARTIAL:
-				fprintf( stderr, "%s: line %d: warning: "
-					"ACL appears to be partially out of scope within "
-					"backend naming context\n",
-					fname, lineno );
-				break;
+				case ACL_SCOPE_WARN:
+					Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+						"ACL could be out of scope within backend naming context\n",
+						fname, lineno, 0 );
+					break;
 
-			case ACL_SCOPE_ERR:
-				fprintf( stderr, "%s: line %d: warning: "
-					"ACL appears to be out of scope within "
-					"backend naming context\n",
-					fname, lineno );
-				break;
+				case ACL_SCOPE_PARTIAL:
+					Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+						"ACL appears to be partially out of scope within "
+						"backend naming context\n",
+						fname, lineno, 0 );
+					break;
+	
+				case ACL_SCOPE_ERR:
+					Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+						"ACL appears to be out of scope within "
+						"backend naming context\n",
+						fname, lineno, 0 );
+					break;
 
-			default:
-				break;
+				default:
+					break;
+				}
 			}
 			acl_append( &be->be_acl, a, pos );
 
@@ -1877,6 +2008,13 @@ parse_acl(
 			acl_append( &frontendDB->be_acl, a, pos );
 		}
 	}
+
+	return 0;
+
+fail:
+	if ( b ) access_free( b );
+	if ( a ) acl_free( a );
+	return acl_usage();
 }
 
 char *
@@ -2056,7 +2194,10 @@ str2accessmask( const char *str )
 			} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
 
-			} else if( str[i] != '0' ) {
+			} else if( str[i] == '0' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_NONE);
+
+			} else {
 				ACL_INVALIDATE(mask);
 				return mask;
 			}
@@ -2102,15 +2243,19 @@ str2accessmask( const char *str )
 	return mask;
 }
 
-static void
+static int
 acl_usage( void )
 {
-	fprintf( stderr, "%s%s%s\n",
+	char *access =
 		"<access clause> ::= access to <what> "
-				"[ by <who> <access> [ <control> ] ]+ \n"
-		"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
-		"<attrlist> ::= <attr> [val[/matchingRule][.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
-		"<attr> ::= <attrname> | entry | children\n",
+				"[ by <who> [ <access> ] [ <control> ] ]+ \n";
+	char *what =
+		"<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
+		"<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
+		"<attrlist> ::= <attr> [ , <attrlist> ]\n"
+		"<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
+
+	char *who =
 		"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
 			"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
 			"\t[dnattr=<attrname>]\n"
@@ -2118,26 +2263,32 @@ acl_usage( void )
 			"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
 			"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
 			"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
-#ifdef SLAPD_ACI_ENABLED
-			"\t[aci[=<attrname>]]\n"
-#endif
 #ifdef SLAP_DYNACL
-			"\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
+			"\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
 #endif /* SLAP_DYNACL */
-			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
+			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
 		"<style> ::= exact | regex | base(Object)\n"
 		"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
 			"exact | regex\n"
 		"<attrstyle> ::= exact | regex | base(Object) | one(level) | "
 			"sub(tree) | children\n"
-		"<peernamestyle> ::= exact | regex | ip | path\n"
+		"<peernamestyle> ::= exact | regex | ip | ipv6 | path\n"
 		"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
 		"<access> ::= [[real]self]{<level>|<priv>}\n"
 		"<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
 		"<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
 		"<control> ::= [ stop | continue | break ]\n"
-	);
-	exit( EXIT_FAILURE );
+#ifdef SLAP_DYNACL
+#ifdef SLAPD_ACI_ENABLED
+		"dynacl:\n"
+		"\t<name>=ACI\t<pattern>=<attrname>\n"
+#endif /* SLAPD_ACI_ENABLED */
+#endif /* ! SLAP_DYNACL */
+		"";
+
+	Debug( LDAP_DEBUG_ANY, "%s%s%s\n", access, what, who );
+
+	return 1;
 }
 
 /*
@@ -2289,6 +2440,14 @@ acl_free( AccessControl *a )
 			free( an->an_name.bv_val );
 		}
 		free( a->acl_attrs );
+
+		if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
+			regfree( &a->acl_attrval_re );
+		}
+
+		if ( !BER_BVISNULL( &a->acl_attrval ) ) {
+			ber_memfree( a->acl_attrval.bv_val );
+		}
 	}
 	for ( ; a->acl_access; a->acl_access = n ) {
 		n = a->acl_access->a_next;
@@ -2360,10 +2519,6 @@ str2access( const char *str )
 		return ACL_NONE;
 
 	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
-#ifndef SLAP_ACL_HONOR_DISCLOSE
-		fprintf( stderr, "str2access: warning, "
-			"\"disclose\" privilege disabled.\n" );
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
 		return ACL_DISCLOSE;
 
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
@@ -2550,13 +2705,6 @@ access2text( Access *b, char *ptr )
 			}
 		}
 	}
-#else /* ! SLAP_DYNACL */
-#ifdef SLAPD_ACI_ENABLED
-	if ( b->a_aci_at != NULL ) {
-		ptr = lutil_strcopy( ptr, " aci=" );
-		ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
-	}
-#endif
 #endif /* SLAP_DYNACL */
 
 	/* Security Strength Factors */
@@ -2688,7 +2836,6 @@ acl_unparse( AccessControl *a, struct berval *bv )
 }
 
 #ifdef LDAP_DEBUG
-
 static void
 print_acl( Backend *be, AccessControl *a )
 {