X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=fddae6b13a5eec2f6a9fbe8fdb2e6db8a78150b0;hb=b94a77687075b0eb2d54d087b8b956d197c1023c;hp=694b77f500f8fa7dc2f16abc0e97c30357e8bd13;hpb=372a941334f6fc88d8ac1f14466ad710409512f0;p=openldap

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 694b77f500..fddae6b13a 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -45,7 +45,11 @@ static char *style_strings[] = {
 	"one",
 	"subtree",
 	"children",
+	"level",
 	"attrof",
+	"anonymous",
+	"users",
+	"self",
 	"ip",
 	"path",
 	NULL
@@ -62,10 +66,46 @@ static void		print_acl(Backend *be, AccessControl *a);
 static void		print_access(Access *b);
 #endif
 
-#ifdef LDAP_DEVEL
+static int		check_scope( BackendDB *be, AccessControl *a );
+
+#ifdef SLAP_DYNACL
 static int
-check_scope( BackendDB *be, AccessControl *a );
-#endif /* LDAP_DEVEL */
+slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
+{
+	slap_dynacl_t	*da, *tmp;
+	int		rc = 0;
+
+	for ( da = b->a_dynacl; da; da = da->da_next ) {
+		if ( strcasecmp( da->da_name, name ) == 0 ) {
+			fprintf( stderr,
+				"%s: line %d: dynacl \"%s\" already specified.\n",
+				fname, lineno, name );
+			acl_usage();
+		}
+	}
+
+	da = slap_dynacl_get( name );
+	if ( da == NULL ) {
+		return -1;
+	}
+
+	tmp = ch_malloc( sizeof( slap_dynacl_t ) );
+	*tmp = *da;
+
+	if ( tmp->da_parse ) {
+		rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
+		if ( rc ) {
+			ch_free( tmp );
+			return rc;
+		}
+	}
+
+	tmp->da_next = b->a_dynacl;
+	b->a_dynacl = tmp;
+
+	return 0;
+}
+#endif /* SLAP_DYNACL */
 
 static void
 regtest(const char *fname, int lineno, char *pat) {
@@ -103,7 +143,7 @@ regtest(const char *fname, int lineno, char *pat) {
 	}
 
 	*dp = '\0';
-	if ( size >= (sizeof(buf)-1) ) {
+	if ( size >= (sizeof(buf) - 1) ) {
 		fprintf( stderr,
 			"%s: line %d: regular expression \"%s\" too large\n",
 			fname, lineno, pat );
@@ -121,7 +161,6 @@ regtest(const char *fname, int lineno, char *pat) {
 	regfree(&re);
 }
 
-#ifdef LDAP_DEVEL
 /*
  * Experimental
  *
@@ -142,16 +181,24 @@ check_scope( BackendDB *be, AccessControl *a )
 
 	dn = be->be_nsuffix[0];
 
-	if ( a->acl_dn_pat.bv_len || a->acl_dn_style != ACL_STYLE_REGEX ) {
+	if ( BER_BVISEMPTY( &dn ) ) {
+		return ACL_SCOPE_OK;
+	}
+
+	if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+			a->acl_dn_style != ACL_STYLE_REGEX )
+	{
 		slap_style_t	style = a->acl_dn_style;
 
 		if ( style == ACL_STYLE_REGEX ) {
-			char	dnbuf[SLAP_LDAPDN_MAXLEN + 2];
-			char	rebuf[SLAP_LDAPDN_MAXLEN + 1];
-			regex_t	re;
-			int	rc;
+			char		dnbuf[SLAP_LDAPDN_MAXLEN + 2];
+			char		rebuf[SLAP_LDAPDN_MAXLEN + 1];
+			ber_len_t	rebuflen;
+			regex_t		re;
+			int		rc;
 			
-			/* add trailing '$' */
+			/* add trailing '$' to database suffix to form
+			 * a simple trial regex pattern "<suffix>$" */
 			AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
 				be->be_nsuffix[0].bv_len );
 			dnbuf[be->be_nsuffix[0].bv_len] = '$';
@@ -161,17 +208,26 @@ check_scope( BackendDB *be, AccessControl *a )
 				return ACL_SCOPE_WARN;
 			}
 
-			/* remove trailing '$' */
-			AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val,
-				a->acl_dn_pat.bv_len + 1 );
-			if ( a->acl_dn_pat.bv_val[a->acl_dn_pat.bv_len - 1] == '$' ) {
-				rebuf[a->acl_dn_pat.bv_len - 1] = '\0';
+			/* remove trailing ')$', if any, from original
+			 * regex pattern */
+			rebuflen = a->acl_dn_pat.bv_len;
+			AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
+			if ( rebuf[rebuflen - 1] == '$' ) {
+				rebuf[--rebuflen] = '\0';
+			}
+			while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
+				rebuf[--rebuflen] = '\0';
+			}
+			if ( rebuflen == be->be_nsuffix[0].bv_len ) {
+				rc = ACL_SCOPE_WARN;
+				goto regex_done;
 			}
 
 			/* not a clear indication of scoping error, though */
 			rc = regexec( &re, rebuf, 0, NULL, 0 )
 				? ACL_SCOPE_WARN : ACL_SCOPE_OK;
 
+regex_done:;
 			regfree( &re );
 			return rc;
 		}
@@ -185,8 +241,8 @@ check_scope( BackendDB *be, AccessControl *a )
 			/* base is blatantly wrong */
 			if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
 
-			/* one can be wrong if there is more
-			 * than one level between the suffix
+			/* a style of one can be wrong if there is
+			 * more than one level between the suffix
 			 * and the pattern */
 			if ( style == ACL_STYLE_ONE ) {
 				int	rdnlen = -1, sep = 0;
@@ -227,7 +283,8 @@ check_scope( BackendDB *be, AccessControl *a )
 		}
 
 		if ( dn.bv_len < patlen &&
-			!DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen -dn.bv_len - 1] )) {
+			!DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
+		{
 			return ACL_SCOPE_ERR;
 		}
 
@@ -242,7 +299,6 @@ check_scope( BackendDB *be, AccessControl *a )
 
 	return ACL_SCOPE_UNKNOWN;
 }
-#endif /* LDAP_DEVEL */
 
 void
 parse_acl(
@@ -250,8 +306,7 @@ parse_acl(
     const char	*fname,
     int		lineno,
     int		argc,
-    char	**argv
-)
+    char	**argv )
 {
 	int		i;
 	char		*left, *right, *style, *next;
@@ -279,8 +334,8 @@ parse_acl(
 				}
 
 				if ( strcasecmp( argv[i], "*" ) == 0 ) {
-					if( a->acl_dn_pat.bv_len ||
-						( a->acl_dn_style != ACL_STYLE_REGEX ) )
+					if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+						a->acl_dn_style != ACL_STYLE_REGEX )
 					{
 						fprintf( stderr,
 							"%s: line %d: dn pattern"
@@ -289,8 +344,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					a->acl_dn_pat.bv_val = ch_strdup( "*" );
-					a->acl_dn_pat.bv_len = 1;
+					ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
 					continue;
 				}
 
@@ -305,8 +359,8 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "dn" ) == 0 ) {
-					if( a->acl_dn_pat.bv_len != 0 ||
-						( a->acl_dn_style != ACL_STYLE_REGEX ) )
+					if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+						a->acl_dn_style != ACL_STYLE_REGEX )
 					{
 						fprintf( stderr,
 							"%s: line %d: dn pattern"
@@ -333,8 +387,7 @@ parse_acl(
 						strcasecmp( style, "sub" ) == 0 )
 					{
 						if( *right == '\0' ) {
-							a->acl_dn_pat.bv_val = ch_strdup( "*" );
-							a->acl_dn_pat.bv_len = 1;
+							ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
 
 						} else {
 							a->acl_dn_style = ACL_STYLE_SUBTREE;
@@ -361,8 +414,7 @@ parse_acl(
 							|| strcmp(right, ".*$$") == 0 
 							|| strcmp(right, "^.*$$") == 0 )
 						{
-							a->acl_dn_pat.bv_val = ch_strdup( "*" );
-							a->acl_dn_pat.bv_len = sizeof("*")-1;
+							ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
 
 						} else {
 							acl_regex_normalized_dn( right, &a->acl_dn_pat );
@@ -398,13 +450,14 @@ parse_acl(
 					}
 
 				} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
-					if ( a->acl_attrval.bv_len ) {
+					if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
 						fprintf( stderr,
 				"%s: line %d: attr val already specified in to clause.\n",
 							fname, lineno );
 						acl_usage();
 					}
-					if ( a->acl_attrs == NULL || a->acl_attrs[1].an_name.bv_val ) {
+					if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
+					{
 						fprintf( stderr,
 				"%s: line %d: attr val requires a single attribute.\n",
 							fname, lineno );
@@ -455,7 +508,7 @@ parse_acl(
 									a->acl_attrs[0].an_desc->ad_cname.bv_val );
 								a->acl_attrval_style = ACL_STYLE_BASE;
 							}
-							
+
 						} else {
 							fprintf( stderr, 
 								"%s: line %d: unknown val.<style> \"%s\" "
@@ -474,16 +527,15 @@ parse_acl(
 				}
 			}
 
-			if ( a->acl_dn_pat.bv_len != 0 &&
-				strcmp(a->acl_dn_pat.bv_val, "*") == 0 )
+			if ( !BER_BVISNULL( &a->acl_dn_pat ) && 
+					ber_bvccmp( &a->acl_dn_pat, '*' ) )
 			{
 				free( a->acl_dn_pat.bv_val );
-				a->acl_dn_pat.bv_val = NULL;
-				a->acl_dn_pat.bv_len = 0;
+				BER_BVZERO( &a->acl_dn_pat );
 			}
 			
-			if( a->acl_dn_pat.bv_len != 0 ||
-				( a->acl_dn_style != ACL_STYLE_REGEX ) )
+			if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+					a->acl_dn_style != ACL_STYLE_REGEX ) 
 			{
 				if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
 					struct berval bv;
@@ -496,6 +548,7 @@ parse_acl(
 					}
 					free( a->acl_dn_pat.bv_val );
 					a->acl_dn_pat = bv;
+
 				} else {
 					int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
 						REG_EXTENDED | REG_ICASE );
@@ -536,14 +589,39 @@ parse_acl(
 
 			/* get <who> */
 			for ( ; i < argc; i++ ) {
-				slap_style_t sty = ACL_STYLE_REGEX;
-				char *style_modifier = NULL;
-				int expand = 0;
+				slap_style_t	sty = ACL_STYLE_REGEX;
+				char		*style_modifier = NULL;
+				char		*style_level = NULL;
+				int		level = 0;
+				int		expand = 0;
+				slap_dn_access	*bdn = &b->a_dn;
+				int		is_realdn = 0;
 
 				split( argv[i], '=', &left, &right );
 				split( left, '.', &left, &style );
 				if ( style ) {
-					split( style, ',', &style, &style_modifier);
+					split( style, ',', &style, &style_modifier );
+
+					if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
+						split( style, '{', &style, &style_level );
+						if ( style_level != NULL ) {
+							char *p = strchr( style_level, '}' );
+							if ( p == NULL ) {
+								fprintf( stderr,
+									"%s: line %d: premature eol: "
+									"expecting closing '}' in \"level{n}\"\n",
+									fname, lineno );
+								acl_usage();
+							} else if ( p == style_level ) {
+								fprintf( stderr,
+									"%s: line %d: empty level "
+									"in \"level{n}\"\n",
+									fname, lineno );
+								acl_usage();
+							}
+							p[0] = '\0';
+						}
+					}
 				}
 
 				if ( style == NULL || *style == '\0' ||
@@ -566,6 +644,21 @@ parse_acl(
 				} else if ( strcasecmp( style, "children" ) == 0 ) {
 					sty = ACL_STYLE_CHILDREN;
 
+				} else if ( strcasecmp( style, "level" ) == 0 )
+				{
+					char	*next;
+
+					level = strtol( style_level, &next, 10 );
+					if ( next[0] != '\0' ) {
+						fprintf( stderr,
+							"%s: line %d: unable to parse level "
+							"in \"level{n}\"\n",
+							fname, lineno );
+						acl_usage();
+					}
+
+					sty = ACL_STYLE_LEVEL;
+
 				} else if ( strcasecmp( style, "regex" ) == 0 ) {
 					sty = ACL_STYLE_REGEX;
 
@@ -602,11 +695,14 @@ parse_acl(
 						break;
 
 					case ACL_STYLE_EXPAND:
+#if 0
+						/* FIXME: now it's legal... */
 						fprintf( stderr, "%s: line %d: "
 							"\"expand\" style used "
 							"in conjunction with "
 							"\"expand\" modifier (ignored)\n",
 							fname, lineno );
+#endif
 						break;
 
 					default:
@@ -627,43 +723,57 @@ parse_acl(
 						fname, lineno );
 				}
 
+				if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
+					is_realdn = 1;
+					bdn = &b->a_realdn;
+					left += STRLENOF( "real" );
+				}
 
-				if ( strcasecmp( argv[i], "*" ) == 0 ) {
-					bv.bv_val = ch_strdup( "*" );
-					bv.bv_len = 1;
-					sty = ACL_STYLE_REGEX;
+				if ( strcasecmp( left, "*" ) == 0 ) {
+					if ( is_realdn ) {
+						acl_usage();
+					}
 
-				} else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
-					ber_str2bv("anonymous", sizeof("anonymous")-1, 1, &bv);
+					ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
 					sty = ACL_STYLE_REGEX;
 
-				} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
-					ber_str2bv("self", sizeof("self")-1, 1, &bv);
-					sty = ACL_STYLE_REGEX;
+				} else if ( strcasecmp( left, "anonymous" ) == 0 ) {
+					ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
+					sty = ACL_STYLE_ANONYMOUS;
 
-				} else if ( strcasecmp( argv[i], "users" ) == 0 ) {
-					ber_str2bv("users", sizeof("users")-1, 1, &bv);
-					sty = ACL_STYLE_REGEX;
+				} else if ( strcasecmp( left, "users" ) == 0 ) {
+					ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
+					sty = ACL_STYLE_USERS;
+
+				} else if ( strcasecmp( left, "self" ) == 0 ) {
+					ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
+					sty = ACL_STYLE_SELF;
 
 				} else if ( strcasecmp( left, "dn" ) == 0 ) {
 					if ( sty == ACL_STYLE_REGEX ) {
-						b->a_dn_style = ACL_STYLE_REGEX;
-						if( right == NULL ) {
+						bdn->a_style = ACL_STYLE_REGEX;
+						if ( right == NULL ) {
 							/* no '=' */
 							ber_str2bv("users",
-								sizeof("users")-1,
+								STRLENOF( "users" ),
 								1, &bv);
+							bdn->a_style = ACL_STYLE_USERS;
+
 						} else if (*right == '\0' ) {
 							/* dn="" */
 							ber_str2bv("anonymous",
-								sizeof("anonymous")-1,
+								STRLENOF( "anonymous" ),
 								1, &bv);
+							bdn->a_style = ACL_STYLE_ANONYMOUS;
+
 						} else if ( strcmp( right, "*" ) == 0 ) {
 							/* dn=* */
 							/* any or users?  users for now */
 							ber_str2bv("users",
-								sizeof("users")-1,
+								STRLENOF( "users" ),
 								1, &bv);
+							bdn->a_style = ACL_STYLE_USERS;
+
 						} else if ( strcmp( right, ".+" ) == 0
 							|| strcmp( right, "^.+" ) == 0
 							|| strcmp( right, ".+$" ) == 0
@@ -672,8 +782,10 @@ parse_acl(
 							|| strcmp( right, "^.+$$" ) == 0 )
 						{
 							ber_str2bv("users",
-								sizeof("users")-1,
+								STRLENOF( "users" ),
 								1, &bv);
+							bdn->a_style = ACL_STYLE_USERS;
+
 						} else if ( strcmp( right, ".*" ) == 0
 							|| strcmp( right, "^.*" ) == 0
 							|| strcmp( right, ".*$" ) == 0
@@ -682,15 +794,16 @@ parse_acl(
 							|| strcmp( right, "^.*$$" ) == 0 )
 						{
 							ber_str2bv("*",
-								sizeof("*")-1,
+								STRLENOF( "*" ),
 								1, &bv);
 
 						} else {
 							acl_regex_normalized_dn( right, &bv );
 							if ( !ber_bvccmp( &bv, '*' ) ) {
-								regtest(fname, lineno, bv.bv_val);
+								regtest( fname, lineno, bv.bv_val );
 							}
 						}
+
 					} else if ( right == NULL || *right == '\0' ) {
 						fprintf( stderr, "%s: line %d: "
 							"missing \"=\" in (or value after) \"%s\" "
@@ -703,32 +816,62 @@ parse_acl(
 					}
 
 				} else {
-					bv.bv_val = NULL;
+					BER_BVZERO( &bv );
 				}
 
-				if( bv.bv_val != NULL ) {
-					if( b->a_dn_pat.bv_len != 0 ) {
+				if ( !BER_BVISNULL( &bv ) ) {
+					if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
 						fprintf( stderr,
 						    "%s: line %d: dn pattern already specified.\n",
 						    fname, lineno );
 						acl_usage();
 					}
 
-					if ( sty != ACL_STYLE_REGEX && expand == 0 ) {
+					if ( sty != ACL_STYLE_REGEX &&
+							sty != ACL_STYLE_ANONYMOUS &&
+							sty != ACL_STYLE_USERS &&
+							sty != ACL_STYLE_SELF &&
+							expand == 0 )
+					{
 						rc = dnNormalize(0, NULL, NULL,
-							&bv, &b->a_dn_pat, NULL);
+							&bv, &bdn->a_pat, NULL);
 						if ( rc != LDAP_SUCCESS ) {
 							fprintf( stderr,
 								"%s: line %d: bad DN \"%s\" in by DN clause\n",
 								fname, lineno, bv.bv_val );
 							acl_usage();
 						}
-						free(bv.bv_val);
+						free( bv.bv_val );
+
 					} else {
-						b->a_dn_pat = bv;
+						bdn->a_pat = bv;
+					}
+					bdn->a_style = sty;
+					bdn->a_expand = expand;
+					if ( sty == ACL_STYLE_SELF ) {
+						bdn->a_self_level = level;
+
+					} else {
+						if ( level < 0 ) {
+							fprintf( stderr,
+								"%s: line %d: bad negative level \"%d\" "
+								"in by DN clause\n",
+								fname, lineno, level );
+							acl_usage();
+						} else if ( level == 1 ) {
+							fprintf( stderr,
+								"%s: line %d: \"onelevel\" should be used "
+								"instead of \"level{1}\" in by DN clause\n",
+								fname, lineno, 0 );
+						} else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
+							fprintf( stderr,
+								"%s: line %d: \"base\" should be used "
+								"instead of \"level{0}\" in by DN clause\n",
+								fname, lineno, 0 );
+						}
+
+						bdn->a_level = level;
 					}
-					b->a_dn_style = sty;
-					b->a_dn_expand = expand;
 					continue;
 				}
 
@@ -741,14 +884,14 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( b->a_dn_at != NULL ) {
+					if( bdn->a_at != NULL ) {
 						fprintf( stderr,
 							"%s: line %d: dnattr already specified.\n",
 							fname, lineno );
 						acl_usage();
 					}
 
-					rc = slap_str2ad( right, &b->a_dn_at, &text );
+					rc = slap_str2ad( right, &bdn->a_at, &text );
 
 					if( rc != LDAP_SUCCESS ) {
 						fprintf( stderr,
@@ -758,20 +901,20 @@ parse_acl(
 					}
 
 
-					if( !is_at_syntax( b->a_dn_at->ad_type,
+					if( !is_at_syntax( bdn->a_at->ad_type,
 						SLAPD_DN_SYNTAX ) &&
-						!is_at_syntax( b->a_dn_at->ad_type,
+						!is_at_syntax( bdn->a_at->ad_type,
 						SLAPD_NAMEUID_SYNTAX ))
 					{
 						fprintf( stderr,
 							"%s: line %d: dnattr \"%s\": "
 							"inappropriate syntax: %s\n",
 							fname, lineno, right,
-							b->a_dn_at->ad_type->sat_syntax_oid );
+							bdn->a_at->ad_type->sat_syntax_oid );
 						acl_usage();
 					}
 
-					if( b->a_dn_at->ad_type->sat_equality == NULL ) {
+					if( bdn->a_at->ad_type->sat_equality == NULL ) {
 						fprintf( stderr,
 							"%s: line %d: dnattr \"%s\": "
 							"inappropriate matching (no EQUALITY)\n",
@@ -782,7 +925,7 @@ parse_acl(
 					continue;
 				}
 
-				if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
+				if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
 					char *name = NULL;
 					char *value = NULL;
 
@@ -818,7 +961,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( b->a_group_pat.bv_len ) {
+					if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
 						fprintf( stderr,
 							"%s: line %d: group pattern already specified.\n",
 							fname, lineno );
@@ -827,20 +970,21 @@ parse_acl(
 
 					/* format of string is
 						"group/objectClassValue/groupAttrName" */
-					if ((value = strchr(left, '/')) != NULL) {
+					if ( ( value = strchr(left, '/') ) != NULL ) {
 						*value++ = '\0';
-						if (*value && (name = strchr(value, '/')) != NULL) {
+						if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
 							*name++ = '\0';
 						}
 					}
 
 					b->a_group_style = sty;
-					if (sty == ACL_STYLE_EXPAND) {
+					if ( sty == ACL_STYLE_EXPAND ) {
 						acl_regex_normalized_dn( right, &bv );
 						if ( !ber_bvccmp( &bv, '*' ) ) {
-							regtest(fname, lineno, bv.bv_val);
+							regtest( fname, lineno, bv.bv_val );
 						}
 						b->a_group_pat = bv;
+
 					} else {
 						ber_str2bv( right, 0, 0, &bv );
 						rc = dnNormalize( 0, NULL, NULL, &bv,
@@ -853,17 +997,18 @@ parse_acl(
 						}
 					}
 
-					if (value && *value) {
+					if ( value && *value ) {
 						b->a_group_oc = oc_find( value );
 						*--value = '/';
 
-						if( b->a_group_oc == NULL ) {
+						if ( b->a_group_oc == NULL ) {
 							fprintf( stderr,
 								"%s: line %d: group objectclass "
 								"\"%s\" unknown\n",
 								fname, lineno, value );
 							acl_usage();
 						}
+
 					} else {
 						b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
 
@@ -876,8 +1021,8 @@ parse_acl(
 						}
 					}
 
-					if( is_object_subclass( slap_schema.si_oc_referral,
-						b->a_group_oc ))
+					if ( is_object_subclass( slap_schema.si_oc_referral,
+						b->a_group_oc ) )
 					{
 						fprintf( stderr,
 							"%s: line %d: group objectclass \"%s\" "
@@ -886,8 +1031,8 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( is_object_subclass( slap_schema.si_oc_alias,
-						b->a_group_oc ))
+					if ( is_object_subclass( slap_schema.si_oc_alias,
+						b->a_group_oc ) )
 					{
 						fprintf( stderr,
 							"%s: line %d: group objectclass \"%s\" "
@@ -896,7 +1041,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if (name && *name) {
+					if ( name && *name ) {
 						rc = slap_str2ad( name, &b->a_group_at, &text );
 
 						if( rc != LDAP_SUCCESS ) {
@@ -906,10 +1051,11 @@ parse_acl(
 							acl_usage();
 						}
 						*--name = '/';
+
 					} else {
 						rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
 
-						if( rc != LDAP_SUCCESS ) {
+						if ( rc != LDAP_SUCCESS ) {
 							fprintf( stderr,
 								"%s: line %d: group \"%s\": %s\n",
 								fname, lineno, SLAPD_GROUP_ATTR, text );
@@ -917,11 +1063,11 @@ parse_acl(
 						}
 					}
 
-					if( !is_at_syntax( b->a_group_at->ad_type,
+					if ( !is_at_syntax( b->a_group_at->ad_type,
 						SLAPD_DN_SYNTAX ) &&
-					    !is_at_syntax( b->a_group_at->ad_type,
+						!is_at_syntax( b->a_group_at->ad_type,
 						SLAPD_NAMEUID_SYNTAX ) &&
-						!is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ))
+						!is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
 					{
 						fprintf( stderr,
 							"%s: line %d: group \"%s\": inappropriate syntax: %s\n",
@@ -935,10 +1081,8 @@ parse_acl(
 						int rc;
 						struct berval vals[2];
 
-						vals[0].bv_val = b->a_group_oc->soc_oid;
-						vals[0].bv_len = strlen(vals[0].bv_val);
-						vals[1].bv_val = NULL;
-
+						ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
+						BER_BVZERO( &vals[1] );
 
 						rc = oc_check_allowed( b->a_group_at->ad_type,
 							vals, NULL );
@@ -956,7 +1100,7 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "peername" ) == 0 ) {
-					switch (sty) {
+					switch ( sty ) {
 					case ACL_STYLE_REGEX:
 					case ACL_STYLE_BASE:
 						/* legal, traditional */
@@ -982,7 +1126,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( b->a_peername_pat.bv_len ) {
+					if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
 						fprintf( stderr, "%s: line %d: "
 							"peername pattern already specified.\n",
 							fname, lineno );
@@ -990,10 +1134,10 @@ parse_acl(
 					}
 
 					b->a_peername_style = sty;
-					if (sty == ACL_STYLE_REGEX) {
+					if ( sty == ACL_STYLE_REGEX ) {
 						acl_regex_normalized_dn( right, &bv );
 						if ( !ber_bvccmp( &bv, '*' ) ) {
-							regtest(fname, lineno, bv.bv_val);
+							regtest( fname, lineno, bv.bv_val );
 						}
 						b->a_peername_pat = bv;
 
@@ -1009,7 +1153,7 @@ parse_acl(
 							split( addr, '%', &addr, &mask );
 
 							b->a_peername_addr = inet_addr( addr );
-							if ( b->a_peername_addr == (unsigned long)(-1)) {
+							if ( b->a_peername_addr == (unsigned long)(-1) ) {
 								/* illegal address */
 								fprintf( stderr, "%s: line %d: "
 									"illegal peername address \"%s\".\n",
@@ -1021,7 +1165,7 @@ parse_acl(
 							if ( mask != NULL ) {
 								b->a_peername_mask = inet_addr( mask );
 								if ( b->a_peername_mask ==
-									(unsigned long)(-1))
+									(unsigned long)(-1) )
 								{
 									/* illegal mask */
 									fprintf( stderr, "%s: line %d: "
@@ -1052,7 +1196,7 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "sockname" ) == 0 ) {
-					switch (sty) {
+					switch ( sty ) {
 					case ACL_STYLE_REGEX:
 					case ACL_STYLE_BASE:
 						/* legal, traditional */
@@ -1076,7 +1220,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( b->a_sockname_pat.bv_len ) {
+					if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
 						fprintf( stderr, "%s: line %d: "
 							"sockname pattern already specified.\n",
 							fname, lineno );
@@ -1084,12 +1228,13 @@ parse_acl(
 					}
 
 					b->a_sockname_style = sty;
-					if (sty == ACL_STYLE_REGEX) {
+					if ( sty == ACL_STYLE_REGEX ) {
 						acl_regex_normalized_dn( right, &bv );
 						if ( !ber_bvccmp( &bv, '*' ) ) {
-							regtest(fname, lineno, bv.bv_val);
+							regtest( fname, lineno, bv.bv_val );
 						}
 						b->a_sockname_pat = bv;
+						
 					} else {
 						ber_str2bv( right, 0, 1, &b->a_sockname_pat );
 					}
@@ -1109,7 +1254,8 @@ parse_acl(
 						if ( expand ) {
 							fprintf( stderr,
 								"%s: line %d: "
-								"\"expand\" modifier with \"expand\" style\n",
+								"\"expand\" modifier "
+								"with \"expand\" style\n",
 								fname, lineno );
 						}
 						sty = ACL_STYLE_BASE;
@@ -1132,7 +1278,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( b->a_domain_pat.bv_len ) {
+					if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
 						fprintf( stderr,
 							"%s: line %d: domain pattern already specified.\n",
 							fname, lineno );
@@ -1141,12 +1287,13 @@ parse_acl(
 
 					b->a_domain_style = sty;
 					b->a_domain_expand = expand;
-					if (sty == ACL_STYLE_REGEX) {
+					if ( sty == ACL_STYLE_REGEX ) {
 						acl_regex_normalized_dn( right, &bv );
 						if ( !ber_bvccmp( &bv, '*' ) ) {
-							regtest(fname, lineno, bv.bv_val);
+							regtest( fname, lineno, bv.bv_val );
 						}
 						b->a_domain_pat = bv;
+
 					} else {
 						ber_str2bv( right, 0, 1, &b->a_domain_pat );
 					}
@@ -1154,7 +1301,7 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "sockurl" ) == 0 ) {
-					switch (sty) {
+					switch ( sty ) {
 					case ACL_STYLE_REGEX:
 					case ACL_STYLE_BASE:
 						/* legal, traditional */
@@ -1178,7 +1325,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( b->a_sockurl_pat.bv_len ) {
+					if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
 						fprintf( stderr,
 							"%s: line %d: sockurl pattern already specified.\n",
 							fname, lineno );
@@ -1186,12 +1333,13 @@ parse_acl(
 					}
 
 					b->a_sockurl_style = sty;
-					if (sty == ACL_STYLE_REGEX) {
+					if ( sty == ACL_STYLE_REGEX ) {
 						acl_regex_normalized_dn( right, &bv );
 						if ( !ber_bvccmp( &bv, '*' ) ) {
-							regtest(fname, lineno, bv.bv_val);
+							regtest( fname, lineno, bv.bv_val );
 						}
 						b->a_sockurl_pat = bv;
+						
 					} else {
 						ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
 					}
@@ -1199,14 +1347,29 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "set" ) == 0 ) {
-					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+					switch ( sty ) {
+						/* deprecated */
+					case ACL_STYLE_REGEX:
+						fprintf( stderr, "%s: line %d: "
+							"deprecated set style "
+							"\"regex\" in <by> clause; "
+							"use \"expand\" instead\n",
+							fname, lineno );
+						sty = ACL_STYLE_EXPAND;
+						/* FALLTHRU */
+						
+					case ACL_STYLE_BASE:
+					case ACL_STYLE_EXPAND:
+						break;
+
+					default:
 						fprintf( stderr, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
-						    fname, lineno, style );
+							fname, lineno, style );
 						acl_usage();
 					}
 
-					if( b->a_set_pat.bv_len != 0 ) {
+					if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
 						fprintf( stderr,
 							"%s: line %d: set attribute already specified.\n",
 							fname, lineno );
@@ -1226,6 +1389,30 @@ parse_acl(
 					continue;
 				}
 
+#ifdef SLAP_DYNACL
+				{
+					char		*name = NULL;
+					
+					if ( strcasecmp( left, "aci" ) == 0 ) {
+						name = "aci";
+						
+					} else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
+						name = &left[ STRLENOF( "dynacl/" ) ];
+					}
+
+					if ( name ) {
+						if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
+							fprintf( stderr, "%s: line %d: "
+								"unable to configure dynacl \"%s\"\n",
+								fname, lineno, name );
+							acl_usage();
+						}
+
+						continue;
+					}
+				}
+#else /* ! SLAP_DYNACL */
+
 #ifdef SLAPD_ACI_ENABLED
 				if ( strcasecmp( left, "aci" ) == 0 ) {
 					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
@@ -1269,16 +1456,17 @@ parse_acl(
 					continue;
 				}
 #endif /* SLAPD_ACI_ENABLED */
+#endif /* ! SLAP_DYNACL */
 
 				if ( strcasecmp( left, "ssf" ) == 0 ) {
-					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+					if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
 						fprintf( stderr, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
 						    fname, lineno, style );
 						acl_usage();
 					}
 
-					if( b->a_authz.sai_ssf ) {
+					if ( b->a_authz.sai_ssf ) {
 						fprintf( stderr,
 							"%s: line %d: ssf attribute already specified.\n",
 							fname, lineno );
@@ -1300,7 +1488,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( !b->a_authz.sai_ssf ) {
+					if ( !b->a_authz.sai_ssf ) {
 						fprintf( stderr,
 							"%s: line %d: invalid ssf value (%s)\n",
 							fname, lineno, right );
@@ -1310,14 +1498,14 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
-					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+					if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
 						fprintf( stderr, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
-						    fname, lineno, style );
+							fname, lineno, style );
 						acl_usage();
 					}
 
-					if( b->a_authz.sai_transport_ssf ) {
+					if ( b->a_authz.sai_transport_ssf ) {
 						fprintf( stderr, "%s: line %d: "
 							"transport_ssf attribute already specified.\n",
 							fname, lineno );
@@ -1339,7 +1527,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( !b->a_authz.sai_transport_ssf ) {
+					if ( !b->a_authz.sai_transport_ssf ) {
 						fprintf( stderr,
 							"%s: line %d: invalid transport_ssf value (%s)\n",
 							fname, lineno, right );
@@ -1349,14 +1537,14 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
-					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+					if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
 						fprintf( stderr, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
-						    fname, lineno, style );
+							fname, lineno, style );
 						acl_usage();
 					}
 
-					if( b->a_authz.sai_tls_ssf ) {
+					if ( b->a_authz.sai_tls_ssf ) {
 						fprintf( stderr, "%s: line %d: "
 							"tls_ssf attribute already specified.\n",
 							fname, lineno );
@@ -1378,7 +1566,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( !b->a_authz.sai_tls_ssf ) {
+					if ( !b->a_authz.sai_tls_ssf ) {
 						fprintf( stderr,
 							"%s: line %d: invalid tls_ssf value (%s)\n",
 							fname, lineno, right );
@@ -1388,14 +1576,14 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
-					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+					if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
 						fprintf( stderr, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
-						    fname, lineno, style );
+							fname, lineno, style );
 						acl_usage();
 					}
 
-					if( b->a_authz.sai_sasl_ssf ) {
+					if ( b->a_authz.sai_sasl_ssf ) {
 						fprintf( stderr, "%s: line %d: "
 							"sasl_ssf attribute already specified.\n",
 							fname, lineno );
@@ -1417,7 +1605,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( !b->a_authz.sai_sasl_ssf ) {
+					if ( !b->a_authz.sai_sasl_ssf ) {
 						fprintf( stderr,
 							"%s: line %d: invalid sasl_ssf value (%s)\n",
 							fname, lineno, right );
@@ -1426,34 +1614,34 @@ parse_acl(
 					continue;
 				}
 
-				if( right != NULL ) {
+				if ( right != NULL ) {
 					/* unsplit */
 					right[-1] = '=';
 				}
 				break;
 			}
 
-			if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) { 
+			if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) { 
 				/* out of arguments or plain stop */
 
-				ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
 				b->a_type = ACL_STOP;
 
 				access_append( &a->acl_access, b );
 				continue;
 			}
 
-			if( strcasecmp( left, "continue" ) == 0 ) {
+			if ( strcasecmp( left, "continue" ) == 0 ) {
 				/* plain continue */
 
-				ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
 				b->a_type = ACL_CONTINUE;
 
 				access_append( &a->acl_access, b );
 				continue;
 			}
 
-			if( strcasecmp( left, "break" ) == 0 ) {
+			if ( strcasecmp( left, "break" ) == 0 ) {
 				/* plain continue */
 
 				ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
@@ -1466,7 +1654,7 @@ parse_acl(
 			if ( strcasecmp( left, "by" ) == 0 ) {
 				/* we've gone too far */
 				--i;
-				ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
 				b->a_type = ACL_STOP;
 
 				access_append( &a->acl_access, b );
@@ -1474,15 +1662,19 @@ parse_acl(
 			}
 
 			/* get <access> */
-			if( strncasecmp( left, "self", 4 ) == 0 ) {
+			if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
 				b->a_dn_self = 1;
-				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
+				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
+
+			} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
+				b->a_realdn_self = 1;
+				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
 
 			} else {
 				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
 			}
 
-			if( ACL_IS_INVALID( b->a_access_mask ) ) {
+			if ( ACL_IS_INVALID( b->a_access_mask ) ) {
 				fprintf( stderr,
 					"%s: line %d: expecting <access> got \"%s\"\n",
 					fname, lineno, left );
@@ -1491,17 +1683,17 @@ parse_acl(
 
 			b->a_type = ACL_STOP;
 
-			if( ++i == argc ) {
+			if ( ++i == argc ) {
 				/* out of arguments or plain stop */
 				access_append( &a->acl_access, b );
 				continue;
 			}
 
-			if( strcasecmp( argv[i], "continue" ) == 0 ) {
+			if ( strcasecmp( argv[i], "continue" ) == 0 ) {
 				/* plain continue */
 				b->a_type = ACL_CONTINUE;
 
-			} else if( strcasecmp( argv[i], "break" ) == 0 ) {
+			} else if ( strcasecmp( argv[i], "break" ) == 0 ) {
 				/* plain continue */
 				b->a_type = ACL_BREAK;
 
@@ -1514,8 +1706,9 @@ parse_acl(
 
 		} else {
 			fprintf( stderr,
-		    "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
-			    fname, lineno, argv[i] );
+				"%s: line %d: expecting \"to\" "
+				"or \"by\" got \"%s\"\n",
+				fname, lineno, argv[i] );
 			acl_usage();
 		}
 	}
@@ -1528,17 +1721,26 @@ parse_acl(
 
 	} else {
 #ifdef LDAP_DEBUG
-		if (ldap_debug & LDAP_DEBUG_ACL) print_acl(be, a);
+		if ( ldap_debug & LDAP_DEBUG_ACL ) {
+			print_acl( be, a );
+		}
 #endif
 	
 		if ( a->acl_access == NULL ) {
 			fprintf( stderr, "%s: line %d: "
 				"warning: no by clause(s) specified in access line\n",
-			    fname, lineno );
+				fname, lineno );
 		}
 
 		if ( be != NULL ) {
-#ifdef LDAP_DEVEL
+			if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
+				fprintf( stderr, "%s: line %d: warning: "
+					"scope checking only applies to single-valued "
+					"suffix databases\n",
+					fname, lineno );
+				/* go ahead, since checking is not authoritative */
+			}
+
 			switch ( check_scope( be, a ) ) {
 			case ACL_SCOPE_UNKNOWN:
 				fprintf( stderr, "%s: line %d: warning: "
@@ -1570,19 +1772,19 @@ parse_acl(
 			default:
 				break;
 			}
-#endif /* LDAP_DEVEL */
 			acl_append( &be->be_acl, a );
+
 		} else {
-			acl_append( &global_acl, a );
+			acl_append( &frontendDB->be_acl, a );
 		}
 	}
 }
 
 char *
-accessmask2str( slap_mask_t mask, char *buf )
+accessmask2str( slap_mask_t mask, char *buf, int debug )
 {
-	int none=1;
-	char *ptr = buf;
+	int	none = 1;
+	char	*ptr = buf;
 
 	assert( buf != NULL );
 
@@ -1596,6 +1798,9 @@ accessmask2str( slap_mask_t mask, char *buf )
 		if ( ACL_LVL_IS_NONE(mask) ) {
 			ptr = lutil_strcopy( ptr, "none" );
 
+		} else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
+			ptr = lutil_strcopy( ptr, "disclose" );
+
 		} else if ( ACL_LVL_IS_AUTH(mask) ) {
 			ptr = lutil_strcopy( ptr, "auth" );
 
@@ -1610,10 +1815,18 @@ accessmask2str( slap_mask_t mask, char *buf )
 
 		} else if ( ACL_LVL_IS_WRITE(mask) ) {
 			ptr = lutil_strcopy( ptr, "write" );
+
+		} else if ( ACL_LVL_IS_MANAGE(mask) ) {
+			ptr = lutil_strcopy( ptr, "manage" );
+
 		} else {
 			ptr = lutil_strcopy( ptr, "unknown" );
 		}
 		
+		if ( !debug ) {
+			*ptr = '\0';
+			return buf;
+		}
 		*ptr++ = '(';
 	}
 
@@ -1627,6 +1840,11 @@ accessmask2str( slap_mask_t mask, char *buf )
 		*ptr++ = '=';
 	}
 
+	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
+		none = 0;
+		*ptr++ = 'm';
+	} 
+
 	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
 		none = 0;
 		*ptr++ = 'w';
@@ -1652,13 +1870,18 @@ accessmask2str( slap_mask_t mask, char *buf )
 		*ptr++ = 'x';
 	} 
 
+	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
+		none = 0;
+		*ptr++ = 'd';
+	} 
+
 	if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
 		none = 0;
 		*ptr++ = 'n';
 	} 
 
 	if ( none ) {
-		*ptr++ = '0';
+		ptr = buf;
 	}
 
 	if ( ACL_IS_LEVEL( mask ) ) {
@@ -1693,7 +1916,10 @@ str2accessmask( const char *str )
 		}
 
 		for( i=1; str[i] != '\0'; i++ ) {
-			if( TOLOWER((unsigned char) str[i]) == 'w' ) {
+			if( TOLOWER((unsigned char) str[i]) == 'm' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
+
+			} else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
 
 			} else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
@@ -1708,6 +1934,9 @@ str2accessmask( const char *str )
 			} else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
 
+			} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
+
 			} else if( str[i] != '0' ) {
 				ACL_INVALIDATE(mask);
 				return mask;
@@ -1720,6 +1949,9 @@ str2accessmask( const char *str )
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		ACL_LVL_ASSIGN_NONE(mask);
 
+	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
+		ACL_LVL_ASSIGN_DISCLOSE(mask);
+
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		ACL_LVL_ASSIGN_AUTH(mask);
 
@@ -1735,6 +1967,9 @@ str2accessmask( const char *str )
 	} else if ( strcasecmp( str, "write" ) == 0 ) {
 		ACL_LVL_ASSIGN_WRITE(mask);
 
+	} else if ( strcasecmp( str, "manage" ) == 0 ) {
+		ACL_LVL_ASSIGN_MANAGE(mask);
+
 	} else {
 		ACL_INVALIDATE( mask );
 	}
@@ -1745,29 +1980,36 @@ str2accessmask( const char *str )
 static void
 acl_usage( void )
 {
-	fprintf( stderr, "%s%s\n",
+	fprintf( stderr, "%s%s%s\n",
 		"<access clause> ::= access to <what> "
 				"[ by <who> <access> [ <control> ] ]+ \n"
 		"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
-		"<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>\n"
-		"<attr> ::= <attrname> | entry | children\n"
+		"<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
+		"<attr> ::= <attrname> | entry | children\n",
 		"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
+			"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
 			"\t[dnattr=<attrname>]\n"
+			"\t[realdnattr=<attrname>]\n"
 			"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
-			"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n",
+			"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
 			"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
 #ifdef SLAPD_ACI_ENABLED
-			"\t[aci=<attrname>]\n"
+			"\t[aci=[<attrname>]]\n"
 #endif
-			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
+#ifdef SLAP_DYNACL
+			"\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
+#endif /* SLAP_DYNACL */
+			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
+		"<style> ::= exact | regex | base(Object)\n"
 		"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
 			"exact | regex\n"
-		"<style> ::= exact | regex | base(Object)\n"
+		"<attrstyle> ::= exact | regex | base(Object) | one(level) | "
+			"sub(tree) | children\n"
 		"<peernamestyle> ::= exact | regex | ip | path\n"
 		"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
-		"<access> ::= [self]{<level>|<priv>}\n"
-		"<level> ::= none | auth | compare | search | read | write\n"
-		"<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
+		"<access> ::= [[real]self]{<level>|<priv>}\n"
+		"<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
+		"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
 		"<control> ::= [ stop | continue | break ]\n"
 	);
 	exit( EXIT_FAILURE );
@@ -1815,7 +2057,7 @@ acl_regex_normalized_dn(
 		}
 	}
 	pattern->bv_val = str;
-	pattern->bv_len = p-str;
+	pattern->bv_len = p - str;
 
 	return;
 }
@@ -1856,13 +2098,30 @@ acl_append( AccessControl **l, AccessControl *a )
 static void
 access_free( Access *a )
 {
-	if ( a->a_dn_pat.bv_val ) free ( a->a_dn_pat.bv_val );
-	if ( a->a_peername_pat.bv_val ) free ( a->a_peername_pat.bv_val );
-	if ( a->a_sockname_pat.bv_val ) free ( a->a_sockname_pat.bv_val );
-	if ( a->a_domain_pat.bv_val ) free ( a->a_domain_pat.bv_val );
-	if ( a->a_sockurl_pat.bv_val ) free ( a->a_sockurl_pat.bv_val );
-	if ( a->a_set_pat.bv_len ) free ( a->a_set_pat.bv_val );
-	if ( a->a_group_pat.bv_len ) free ( a->a_group_pat.bv_val );
+	if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
+		free( a->a_dn_pat.bv_val );
+	}
+	if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
+		free( a->a_realdn_pat.bv_val );
+	}
+	if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
+		free( a->a_peername_pat.bv_val );
+	}
+	if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
+		free( a->a_sockname_pat.bv_val );
+	}
+	if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
+		free( a->a_domain_pat.bv_val );
+	}
+	if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
+		free( a->a_sockurl_pat.bv_val );
+	}
+	if ( !BER_BVISNULL( &a->a_set_pat ) ) {
+		free( a->a_set_pat.bv_val );
+	}
+	if ( !BER_BVISNULL( &a->a_group_pat ) ) {
+		free( a->a_group_pat.bv_val );
+	}
 	free( a );
 }
 
@@ -1872,15 +2131,19 @@ acl_free( AccessControl *a )
 	Access *n;
 	AttributeName *an;
 
-	if ( a->acl_filter ) filter_free( a->acl_filter );
-	if ( a->acl_dn_pat.bv_len ) free ( a->acl_dn_pat.bv_val );
+	if ( a->acl_filter ) {
+		filter_free( a->acl_filter );
+	}
+	if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
+		free ( a->acl_dn_pat.bv_val );
+	}
 	if ( a->acl_attrs ) {
-		for ( an = a->acl_attrs; an->an_name.bv_val; an++ ) {
+		for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
 			free( an->an_name.bv_val );
 		}
 		free( a->acl_attrs );
 	}
-	for (; a->acl_access; a->acl_access = n) {
+	for ( ; a->acl_access; a->acl_access = n ) {
 		n = a->acl_access->a_next;
 		access_free( a->acl_access );
 	}
@@ -1911,6 +2174,9 @@ access2str( slap_access_t access )
 	if ( access == ACL_NONE ) {
 		return "none";
 
+	} else if ( access == ACL_DISCLOSE ) {
+		return "disclose";
+
 	} else if ( access == ACL_AUTH ) {
 		return "auth";
 
@@ -1925,6 +2191,10 @@ access2str( slap_access_t access )
 
 	} else if ( access == ACL_WRITE ) {
 		return "write";
+
+	} else if ( access == ACL_MANAGE ) {
+		return "manage";
+
 	}
 
 	return "unknown";
@@ -1936,6 +2206,9 @@ str2access( const char *str )
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		return ACL_NONE;
 
+	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
+		return ACL_DISCLOSE;
+
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		return ACL_AUTH;
 
@@ -1950,128 +2223,231 @@ str2access( const char *str )
 
 	} else if ( strcasecmp( str, "write" ) == 0 ) {
 		return ACL_WRITE;
+
+	} else if ( strcasecmp( str, "manage" ) == 0 ) {
+		return ACL_MANAGE;
 	}
 
 	return( ACL_INVALID_ACCESS );
 }
 
-#ifdef LDAP_DEBUG
+#define ACLBUF_MAXLEN	8192
 
-static void
-print_access( Access *b )
+static char aclbuf[ACLBUF_MAXLEN];
+
+static char *
+dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
 {
-	char maskbuf[ACCESSMASK_MAXLEN];
+	*ptr++ = ' ';
 
-	fprintf( stderr, "\tby" );
+	if ( is_realdn ) {
+		ptr = lutil_strcopy( ptr, "real" );
+	}
 
-	if ( b->a_dn_pat.bv_len != 0 ) {
-		if( strcmp(b->a_dn_pat.bv_val, "*") == 0 ||
-			strcmp(b->a_dn_pat.bv_val, "users") == 0 ||
-			strcmp(b->a_dn_pat.bv_val, "anonymous") == 0 ||
-			strcmp(b->a_dn_pat.bv_val, "self") == 0 )
-		{
-			fprintf( stderr, " %s", b->a_dn_pat.bv_val );
+	if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
+		bdn->a_style == ACL_STYLE_ANONYMOUS ||
+		bdn->a_style == ACL_STYLE_USERS ||
+		bdn->a_style == ACL_STYLE_SELF )
+	{
+		if ( is_realdn ) {
+			assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
+		}
+			
+		ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
+		if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
+			int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
+			if ( n > 0 ) {
+				ptr += n;
+			} /* else ? */
+		}
 
-		} else {
-			fprintf( stderr, " dn.%s=\"%s\"",
-				style_strings[b->a_dn_style], b->a_dn_pat.bv_val );
+	} else {
+		ptr = lutil_strcopy( ptr, "dn." );
+		ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
+		if ( bdn->a_style == ACL_STYLE_LEVEL ) {
+			int n = sprintf( ptr, "{%d}", bdn->a_level );
+			if ( n > 0 ) {
+				ptr += n;
+			} /* else ? */
+		}
+		if ( bdn->a_expand ) {
+			ptr = lutil_strcopy( ptr, ",expand" );
+		}
+		*ptr++ = '=';
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
+		*ptr++ = '"';
+	}
+
+	if ( bdn->a_at != NULL ) {
+		*ptr++ = ' ';
+		if ( is_realdn ) {
+			ptr = lutil_strcopy( ptr, "real" );
 		}
+		ptr = lutil_strcopy( ptr, "dnattr=" );
+		ptr = lutil_strcopy( ptr, bdn->a_at->ad_cname.bv_val );
 	}
 
-	if ( b->a_dn_at != NULL ) {
-		fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val );
+	return ptr;
+}
+
+static char *
+access2text( Access *b, char *ptr )
+{
+	char maskbuf[ACCESSMASK_MAXLEN];
+
+	ptr = lutil_strcopy( ptr, "\tby" );
+
+	if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
+		ptr = dnaccess2text( &b->a_dn, ptr, 0 );
 	}
 
-	if ( b->a_group_pat.bv_len ) {
-		fprintf( stderr, " group/%s/%s.%s=\"%s\"",
-			b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames",
-			b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member",
-			style_strings[b->a_group_style],
-			b->a_group_pat.bv_val );
-    }
+	if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
+		ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
+	}
 
-	if ( b->a_peername_pat.bv_len != 0 ) {
-		fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val );
+	if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
+		ptr = lutil_strcopy( ptr, " group/" );
+		ptr = lutil_strcopy( ptr, b->a_group_oc ?
+			b->a_group_oc->soc_cname.bv_val : "groupOfNames" );
+		*ptr++ = '/';
+		ptr = lutil_strcopy( ptr, b->a_group_at ?
+			b->a_group_at->ad_cname.bv_val : "member" );
+		*ptr++ = '.';
+		ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
+		*ptr++ = '"';
+	}
+
+	if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
+		ptr = lutil_strcopy( ptr, " peername=\"" );
+		ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
+		*ptr++ = '"';
 	}
 
-	if ( b->a_sockname_pat.bv_len != 0 ) {
-		fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val );
+	if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
+		ptr = lutil_strcopy( ptr, " sockname=\"" );
+		ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
+		*ptr++ = '"';
 	}
 
-	if ( b->a_domain_pat.bv_len != 0 ) {
-		fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val );
+	if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
+		ptr = lutil_strcopy( ptr, " domain=" );
+		ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
 	}
 
-	if ( b->a_sockurl_pat.bv_len != 0 ) {
-		fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val );
+	if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
+		ptr = lutil_strcopy( ptr, " sockurl=\"" );
+		ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
+		*ptr++ = '"';
 	}
 
-	if ( b->a_set_pat.bv_len != 0 ) {
-		fprintf( stderr, " set=\"%s\"", b->a_set_pat.bv_val );
+	if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
+		ptr = lutil_strcopy( ptr, " set=\"" );
+		ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
+		*ptr++ = '"';
 	}
 
+#ifdef SLAP_DYNACL
+	if ( b->a_dynacl ) {
+		slap_dynacl_t	*da;
+
+		for ( da = b->a_dynacl; da; da = da->da_next ) {
+			if ( da->da_unparse ) {
+				struct berval bv;
+				(void)( *da->da_unparse )( da->da_private, &bv );
+				ptr = lutil_strcopy( ptr, bv.bv_val );
+				ch_free( bv.bv_val );
+			}
+		}
+	}
+#else /* ! SLAP_DYNACL */
 #ifdef SLAPD_ACI_ENABLED
 	if ( b->a_aci_at != NULL ) {
-		fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val );
+		ptr = lutil_strcopy( ptr, " aci=" );
+		ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
 	}
 #endif
+#endif /* SLAP_DYNACL */
 
 	/* Security Strength Factors */
 	if ( b->a_authz.sai_ssf ) {
-		fprintf( stderr, " ssf=%u",
+		ptr += sprintf( ptr, " ssf=%u", 
 			b->a_authz.sai_ssf );
 	}
 	if ( b->a_authz.sai_transport_ssf ) {
-		fprintf( stderr, " transport_ssf=%u",
+		ptr += sprintf( ptr, " transport_ssf=%u",
 			b->a_authz.sai_transport_ssf );
 	}
 	if ( b->a_authz.sai_tls_ssf ) {
-		fprintf( stderr, " tls_ssf=%u",
+		ptr += sprintf( ptr, " tls_ssf=%u",
 			b->a_authz.sai_tls_ssf );
 	}
 	if ( b->a_authz.sai_sasl_ssf ) {
-		fprintf( stderr, " sasl_ssf=%u",
+		ptr += sprintf( ptr, " sasl_ssf=%u",
 			b->a_authz.sai_sasl_ssf );
 	}
 
-	fprintf( stderr, " %s%s",
-		b->a_dn_self ? "self" : "",
-		accessmask2str( b->a_access_mask, maskbuf ) );
+	*ptr++ = ' ';
+	if ( b->a_dn_self ) {
+		ptr = lutil_strcopy( ptr, "self" );
+	} else if ( b->a_realdn_self ) {
+		ptr = lutil_strcopy( ptr, "realself" );
+	}
+	ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
+	if ( !maskbuf[0] ) ptr--;
 
 	if( b->a_type == ACL_BREAK ) {
-		fprintf( stderr, " break" );
+		ptr = lutil_strcopy( ptr, " break" );
 
 	} else if( b->a_type == ACL_CONTINUE ) {
-		fprintf( stderr, " continue" );
+		ptr = lutil_strcopy( ptr, " continue" );
 
 	} else if( b->a_type != ACL_STOP ) {
-		fprintf( stderr, " unknown-control" );
+		ptr = lutil_strcopy( ptr, " unknown-control" );
+	} else {
+		if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
 	}
+	*ptr++ = '\n';
 
-	fprintf( stderr, "\n" );
+	return ptr;
 }
 
-
-static void
-print_acl( Backend *be, AccessControl *a )
+void
+acl_unparse( AccessControl *a, struct berval *bv )
 {
+	Access *b;
+	char *ptr;
 	int		to = 0;
-	Access	*b;
+	struct berval abv;
+
+	bv->bv_val = aclbuf;
+	bv->bv_len = 0;
 
-	fprintf( stderr, "%s ACL: access to",
-		be == NULL ? "Global" : "Backend" );
+	ptr = bv->bv_val;
 
-	if ( a->acl_dn_pat.bv_len != 0 ) {
+	ptr = lutil_strcopy( ptr, "to" );
+	if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
 		to++;
-		fprintf( stderr, " dn.%s=\"%s\"\n",
-			style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val );
+		ptr = lutil_strcopy( ptr, " dn." );
+		ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
+		ptr = lutil_strcopy( ptr, "\"\n" );
 	}
 
 	if ( a->acl_filter != NULL ) {
-		struct berval bv = BER_BVNULL;
+		struct berval	bv = BER_BVNULL;
+
 		to++;
 		filter2bv( a->acl_filter, &bv );
-		fprintf( stderr, " filter=%s\n", bv.bv_val );
+		ptr = lutil_strcopy( ptr, " filter=\"" );
+		ptr = lutil_strcopy( ptr, bv.bv_val );
+		*ptr++ = '"';
+		*ptr++ = '\n';
 		ch_free( bv.bv_val );
 	}
 
@@ -2080,31 +2456,54 @@ print_acl( Backend *be, AccessControl *a )
 		AttributeName *an;
 		to++;
 
-		fprintf( stderr, " attrs=" );
-		for ( an = a->acl_attrs; an && an->an_name.bv_val; an++ ) {
-			if ( ! first ) fprintf( stderr, "," );
+		ptr = lutil_strcopy( ptr, " attrs=" );
+		for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
+			if ( ! first ) *ptr++ = ',';
 			if (an->an_oc) {
-				fputc( an->an_oc_exclude ? '!' : '@', stderr);
+				*ptr++ = an->an_oc_exclude ? '!' : '@';
+				ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
+
+			} else {
+				ptr = lutil_strcopy( ptr, an->an_name.bv_val );
 			}
-			fputs( an->an_name.bv_val, stderr );
 			first = 0;
 		}
-		fprintf(  stderr, "\n" );
+		*ptr++ = '\n';
 	}
 
-	if ( a->acl_attrval.bv_len != 0 ) {
+	if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
 		to++;
-		fprintf( stderr, " val.%s=\"%s\"\n",
-			style_strings[a->acl_attrval_style], a->acl_attrval.bv_val );
-
+		ptr = lutil_strcopy( ptr, " val." );
+		ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
+		*ptr++ = '"';
+		*ptr++ = '\n';
 	}
 
-	if( !to ) fprintf( stderr, " *\n" );
+	if( !to ) {
+		ptr = lutil_strcopy( ptr, " *\n" );
+	}
 
 	for ( b = a->acl_access; b != NULL; b = b->a_next ) {
-		print_access( b );
+		ptr = access2text( b, ptr );
 	}
+	*ptr = '\0';
+	bv->bv_len = ptr - bv->bv_val;
+}
+
+#ifdef LDAP_DEBUG
+
+static void
+print_acl( Backend *be, AccessControl *a )
+{
+	int		to = 0;
+	Access	*b;
+	struct berval bv;
 
-	fprintf( stderr, "\n" );
+	acl_unparse( a, &bv );
+	fprintf( stderr, "%s ACL: access %s\n",
+		be == NULL ? "Global" : "Backend", bv.bv_val );
 }
 #endif /* LDAP_DEBUG */