From 235973571a2cfca652d7095f9658e8a8a2090480 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Thu, 28 Nov 2002 02:26:55 +0000
Subject: [PATCH] proxy authz control (client only) Misc control cleanups
 (client only)

---
 clients/tools/ldapcompare.c   |  79 ++++++++----
 clients/tools/ldapdelete.c    |  55 +++++----
 clients/tools/ldapmodify.c    |  55 +++++----
 clients/tools/ldapmodrdn.c    |  55 +++++----
 clients/tools/ldappasswd.c    |  57 +++++----
 clients/tools/ldapsearch.c    | 221 ++++++++++++++++------------------
 clients/tools/ldapwhoami.c    |  60 +++++----
 include/ldap.h                |  42 +++++++
 libraries/liblber/decode.c    |   7 --
 libraries/libldap/libldap.dsp |  12 ++
 libraries/libldap/passwd.c    | 151 +++++++++++++++++++++++
 libraries/libldap/whoami.c    |  85 +++++++++++++
 12 files changed, 625 insertions(+), 254 deletions(-)
 create mode 100644 libraries/libldap/passwd.c
 create mode 100644 libraries/libldap/whoami.c

diff --git a/clients/tools/ldapcompare.c b/clients/tools/ldapcompare.c
index e1ed0f74c7..1dedf90ed5 100644
--- a/clients/tools/ldapcompare.c
+++ b/clients/tools/ldapcompare.c
@@ -49,6 +49,7 @@ usage( const char *s )
 "  -d level   set LDAP debugging level to `level'\n"
 "  -D binddn  bind DN\n"
 "  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
+"             [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n"
 "             [!]manageDSAit   (alternate form, see -M)\n"
 "             [!]noop\n"
 "  -h host    LDAP server\n"
@@ -116,6 +117,7 @@ main( int argc, char **argv )
 	struct berval bvalue = { 0, NULL };
 	char	*pw_file = NULL;
 	char	*control, *cvalue;
+	char	*authzid = NULL;
 
 	debug = verbose = not = referrals = noop =
 		manageDSAit = want_bindpw = quiet = 0;
@@ -196,7 +198,27 @@ main( int argc, char **argv )
 			*cvalue++ = '\0';
 		}
 
-		if ( strcasecmp( control, "manageDSAit" ) == 0 ) {
+		if ( strcasecmp( control, "authzid" ) == 0 ) {
+			if( authzid != NULL ) {
+				fprintf( stderr, "authzid control previously specified");
+				return EXIT_FAILURE;
+			}
+			if( cvalue == NULL ) {
+				fprintf( stderr, "authzid: control value expected" );
+				usage(prog);
+				return EXIT_FAILURE;
+			}
+			if( !crit ) {
+				fprintf( stderr, "authzid: must be marked critical" );
+				usage(prog);
+				return EXIT_FAILURE;
+			}
+
+			assert( authzid == NULL );
+			authzid = control;
+			break;
+			
+		} else if ( strcasecmp( control, "manageDSAit" ) == 0 ) {
 			if( manageDSAit ) {
 				fprintf( stderr, "manageDSAit control previously specified");
 				return EXIT_FAILURE;
@@ -208,7 +230,6 @@ main( int argc, char **argv )
 			}
 
 			manageDSAit = 1 + crit;
-			free( control );
 			break;
 			
 		} else if ( strcasecmp( control, "noop" ) == 0 ) {
@@ -223,7 +244,6 @@ main( int argc, char **argv )
 			}
 
 			noop = 1 + crit;
-			free( control );
 			break;
 
 		} else {
@@ -737,37 +757,50 @@ main( int argc, char **argv )
 		}
 	}
 
-	if ( manageDSAit || noop ) {
-		int err, i = 0;
-		LDAPControl c1, c2;
-		LDAPControl *ctrls[3];
+	if ( authzid || manageDSAit || noop ) {
+		int err, crit=0, i=0;
+		LDAPControl c[3];
+		LDAPControl *ctrls[4];
+
+		if ( authzid ) {
+			c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+			c[i].ldctl_value.bv_val = authzid;
+			c[i].ldctl_value.bv_len = strlen( authzid );
+			c[i].ldctl_iscritical = 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
+		}
 
 		if ( manageDSAit ) {
-			ctrls[i++] = &c1;
-			ctrls[i] = NULL;
-			c1.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
-			c1.ldctl_value.bv_val = NULL;
-			c1.ldctl_value.bv_len = 0;
-			c1.ldctl_iscritical = manageDSAit > 1;
+			c[i].ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = manageDSAit > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 		if ( noop ) {
-			ctrls[i++] = &c2;
-			ctrls[i] = NULL;
-
-			c2.ldctl_oid = LDAP_CONTROL_NOOP;
-			c2.ldctl_value.bv_val = NULL;
-			c2.ldctl_value.bv_len = 0;
-			c2.ldctl_iscritical = noop > 1;
+			c[i].ldctl_oid = LDAP_CONTROL_NOOP;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = noop > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 	
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
 			fprintf( stderr, "Could not set %scontrols\n",
-				(c1.ldctl_iscritical || c2.ldctl_iscritical)
-				? "critical " : "" );
-			if ( c1.ldctl_iscritical && c2.ldctl_iscritical ) {
+				crit ? "critical " : "" );
+			if ( crit ) {
 				return EXIT_FAILURE;
 			}
 		}
diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c
index bc9d057dda..fe0e33f808 100644
--- a/clients/tools/ldapdelete.c
+++ b/clients/tools/ldapdelete.c
@@ -63,6 +63,7 @@ usage( const char *s )
 "  -d level   set LDAP debugging level to `level'\n"
 "  -D binddn  bind DN\n"
 "  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
+"             [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n"
 "             [!]manageDSAit   (alternate form, see -M)\n"
 "             [!]noop\n"
 "  -f file    read operations from `file'\n"
@@ -101,6 +102,7 @@ main( int argc, char **argv )
 	int		i, rc, authmethod, referrals, want_bindpw, version, debug, manageDSAit, noop, crit;
 	char	*pw_file;
 	char	*control, *cvalue;
+	char	*authzid = NULL;
 
     not = verbose = contoper = want_bindpw = debug
 		= manageDSAit = noop = referrals = 0;
@@ -207,7 +209,6 @@ main( int argc, char **argv )
 			}
 
 			manageDSAit = 1 + crit;
-			free( control );
 			break;
 			
 		} else if ( strcasecmp( control, "noop" ) == 0 ) {
@@ -222,7 +223,6 @@ main( int argc, char **argv )
 			}
 
 			noop = 1 + crit;
-			free( control );
 			break;
 
 		} else {
@@ -702,37 +702,50 @@ main( int argc, char **argv )
 		}
 	}
 
-	if ( manageDSAit || noop ) {
-		int err, i = 0;
-		LDAPControl c1, c2;
-		LDAPControl *ctrls[3];
+	if ( authzid || manageDSAit || noop ) {
+		int err, crit=0, i=0;
+		LDAPControl c[3];
+		LDAPControl *ctrls[4];
+
+		if ( authzid ) {
+			c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+			c[i].ldctl_value.bv_val = authzid;
+			c[i].ldctl_value.bv_len = strlen( authzid );
+			c[i].ldctl_iscritical = 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
+		}
 
 		if ( manageDSAit ) {
-			ctrls[i++] = &c1;
-			ctrls[i] = NULL;
-			c1.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
-			c1.ldctl_value.bv_val = NULL;
-			c1.ldctl_value.bv_len = 0;
-			c1.ldctl_iscritical = manageDSAit > 1;
+			c[i].ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = manageDSAit > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 		if ( noop ) {
-			ctrls[i++] = &c2;
-			ctrls[i] = NULL;
+			c[i].ldctl_oid = LDAP_CONTROL_NOOP;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = noop > 1;
 
-			c2.ldctl_oid = LDAP_CONTROL_NOOP;
-			c2.ldctl_value.bv_val = NULL;
-			c2.ldctl_value.bv_len = 0;
-			c2.ldctl_iscritical = noop > 1;
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 	
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
 			fprintf( stderr, "Could not set %scontrols\n",
-				(c1.ldctl_iscritical || c2.ldctl_iscritical)
-				? "critical " : "" );
-			if ( c1.ldctl_iscritical && c2.ldctl_iscritical ) {
+				crit ? "critical " : "" );
+			if ( crit ) {
 				return EXIT_FAILURE;
 			}
 		}
diff --git a/clients/tools/ldapmodify.c b/clients/tools/ldapmodify.c
index 6f2efb8782..adf0403306 100644
--- a/clients/tools/ldapmodify.c
+++ b/clients/tools/ldapmodify.c
@@ -118,6 +118,7 @@ usage( const char *prog )
 "  -d level   set LDAP debugging level to `level'\n"
 "  -D binddn  bind DN\n"
 "  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
+"             [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n"
 "             [!]manageDSAit   (alternate form, see -M)\n"
 "             [!]noop\n"
 "  -f file    read operations from `file'\n"
@@ -159,6 +160,7 @@ main( int argc, char **argv )
 	int count, len;
 	char	*pw_file = NULL;
 	char	*control, *cvalue;
+	char	*authzid = NULL;
 	int		crit;
 
     prog = lutil_progname( "ldapmodify", argc, argv );
@@ -271,7 +273,6 @@ main( int argc, char **argv )
 			}
 
 			manageDSAit = 1 + crit;
-			free( control );
 			break;
 			
 		} else if ( strcasecmp( control, "noop" ) == 0 ) {
@@ -286,7 +287,6 @@ main( int argc, char **argv )
 			}
 
 			noop = 1 + crit;
-			free( control );
 			break;
 
 		} else {
@@ -796,37 +796,50 @@ main( int argc, char **argv )
 
     rc = 0;
 
-	if ( manageDSAit || noop ) {
-		int err, i = 0;
-		LDAPControl c1, c2;
-		LDAPControl *ctrls[3];
+	if ( authzid || manageDSAit || noop ) {
+		int err, crit=0, i=0;
+		LDAPControl c[3];
+		LDAPControl *ctrls[4];
+
+		if ( authzid ) {
+			c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+			c[i].ldctl_value.bv_val = authzid;
+			c[i].ldctl_value.bv_len = strlen( authzid );
+			c[i].ldctl_iscritical = 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
+		}
 
 		if ( manageDSAit ) {
-			ctrls[i++] = &c1;
-			ctrls[i] = NULL;
-			c1.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
-			c1.ldctl_value.bv_val = NULL;
-			c1.ldctl_value.bv_len = 0;
-			c1.ldctl_iscritical = manageDSAit > 1;
+			c[i].ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = manageDSAit > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 		if ( noop ) {
-			ctrls[i++] = &c2;
-			ctrls[i] = NULL;
+			c[i].ldctl_oid = LDAP_CONTROL_NOOP;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = noop > 1;
 
-			c2.ldctl_oid = LDAP_CONTROL_NOOP;
-			c2.ldctl_value.bv_val = NULL;
-			c2.ldctl_value.bv_len = 0;
-			c2.ldctl_iscritical = noop > 1;
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 	
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
 			fprintf( stderr, "Could not set %scontrols\n",
-				(c1.ldctl_iscritical || c2.ldctl_iscritical)
-				? "critical " : "" );
-			if ( c1.ldctl_iscritical && c2.ldctl_iscritical ) {
+				crit ? "critical " : "" );
+			if ( crit ) {
 				return EXIT_FAILURE;
 			}
 		}
diff --git a/clients/tools/ldapmodrdn.c b/clients/tools/ldapmodrdn.c
index cc36d120c0..60fd986adb 100644
--- a/clients/tools/ldapmodrdn.c
+++ b/clients/tools/ldapmodrdn.c
@@ -77,6 +77,7 @@ usage( const char *s )
 "  -d level   set LDAP debugging level to `level'\n"
 "  -D binddn  bind DN\n"
 "  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
+"             [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n"
 "             [!]manageDSAit   (alternate form, see -M)\n"
 "             [!]noop\n"
 "  -f file    read operations from `file'\n"
@@ -116,6 +117,7 @@ main(int argc, char **argv)
     char	*newSuperior=NULL;
 	char	*pw_file = NULL;
 	char	*control, *cvalue;
+	char	*authzid = NULL;
 
     infile = NULL;
     not = contoper = verbose = remove = want_bindpw =
@@ -227,7 +229,6 @@ main(int argc, char **argv)
 			}
 
 			manageDSAit = 1 + crit;
-			free( control );
 			break;
 			
 		} else if ( strcasecmp( control, "noop" ) == 0 ) {
@@ -242,7 +243,6 @@ main(int argc, char **argv)
 			}
 
 			noop = 1 + crit;
-			free( control );
 			break;
 
 		} else {
@@ -737,37 +737,50 @@ main(int argc, char **argv)
 		}
 	}
 
-	if ( manageDSAit || noop ) {
-		int err, i = 0;
-		LDAPControl c1, c2;
-		LDAPControl *ctrls[3];
+	if ( authzid || manageDSAit || noop ) {
+		int err, crit=0, i=0;
+		LDAPControl c[3];
+		LDAPControl *ctrls[4];
+
+		if ( authzid ) {
+			c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+			c[i].ldctl_value.bv_val = authzid;
+			c[i].ldctl_value.bv_len = strlen( authzid );
+			c[i].ldctl_iscritical = 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
+		}
 
 		if ( manageDSAit ) {
-			ctrls[i++] = &c1;
-			ctrls[i] = NULL;
-			c1.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
-			c1.ldctl_value.bv_val = NULL;
-			c1.ldctl_value.bv_len = 0;
-			c1.ldctl_iscritical = manageDSAit > 1;
+			c[i].ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = manageDSAit > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 		if ( noop ) {
-			ctrls[i++] = &c2;
-			ctrls[i] = NULL;
+			c[i].ldctl_oid = LDAP_CONTROL_NOOP;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = noop > 1;
 
-			c2.ldctl_oid = LDAP_CONTROL_NOOP;
-			c2.ldctl_value.bv_val = NULL;
-			c2.ldctl_value.bv_len = 0;
-			c2.ldctl_iscritical = noop > 1;
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 	
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
 			fprintf( stderr, "Could not set %scontrols\n",
-				(c1.ldctl_iscritical || c2.ldctl_iscritical)
-				? "critical " : "" );
-			if ( c1.ldctl_iscritical && c2.ldctl_iscritical ) {
+				crit ? "critical " : "" );
+			if ( crit ) {
 				return EXIT_FAILURE;
 			}
 		}
diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
index d2ad739ec2..4d3bfb29fc 100644
--- a/clients/tools/ldappasswd.c
+++ b/clients/tools/ldappasswd.c
@@ -41,6 +41,7 @@ usage(const char *s)
 "  -d level   set LDAP debugging level to `level'\n"
 "  -D binddn  bind DN\n"
 "  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
+"             [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n"
 "             [!]manageDSAit   (alternate form, see -M)\n"
 "             [!]noop\n"
 "  -f file    read operations from `file'\n"
@@ -94,6 +95,8 @@ main( int argc, char *argv[] )
 	int		noop = 0;
 	int		crit;
 	char	*control, *cvalue;
+	char	*authzid = NULL;
+
 #ifdef HAVE_CYRUS_SASL
 	unsigned	sasl_flags = LDAP_SASL_AUTOMATIC;
 	char		*sasl_realm = NULL;
@@ -102,6 +105,7 @@ main( int argc, char *argv[] )
 	char		*sasl_mech = NULL;
 	char		*sasl_secprops = NULL;
 #endif
+
 	int		use_tls = 0;
 	int		referrals = 0;
 	LDAP	       *ld = NULL;
@@ -225,7 +229,6 @@ main( int argc, char *argv[] )
 			}
 
 			manageDSAit = 1 + crit;
-			free( control );
 			break;
 			
 		} else if ( strcasecmp( control, "noop" ) == 0 ) {
@@ -236,7 +239,6 @@ main( int argc, char *argv[] )
 			}
 
 			noop = 1 + crit;
-			free( control );
 			break;
 
 		} else {
@@ -733,37 +735,50 @@ main( int argc, char *argv[] )
 		}
 	}
 
-	if ( manageDSAit || noop ) {
-		int err, i = 0;
-		LDAPControl c1, c2;
-		LDAPControl *ctrls[3];
+	if ( authzid || manageDSAit || noop ) {
+		int err, crit=0, i=0;
+		LDAPControl c[3];
+		LDAPControl *ctrls[4];
+
+		if ( authzid ) {
+			c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+			c[i].ldctl_value.bv_val = authzid;
+			c[i].ldctl_value.bv_len = strlen( authzid );
+			c[i].ldctl_iscritical = 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
+		}
 
 		if ( manageDSAit ) {
-			ctrls[i++] = &c1;
-			ctrls[i] = NULL;
-			c1.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
-			c1.ldctl_value.bv_val = NULL;
-			c1.ldctl_value.bv_len = 0;
-			c1.ldctl_iscritical = manageDSAit > 1;
+			c[i].ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = manageDSAit > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 		if ( noop ) {
-			ctrls[i++] = &c2;
-			ctrls[i] = NULL;
+			c[i].ldctl_oid = LDAP_CONTROL_NOOP;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = noop > 1;
 
-			c2.ldctl_oid = LDAP_CONTROL_NOOP;
-			c2.ldctl_value.bv_val = NULL;
-			c2.ldctl_value.bv_len = 0;
-			c2.ldctl_iscritical = noop > 1;
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 	
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
 			fprintf( stderr, "Could not set %scontrols\n",
-				(c1.ldctl_iscritical || c2.ldctl_iscritical)
-				? "critical " : "" );
-			if ( c1.ldctl_iscritical && c2.ldctl_iscritical ) {
+				crit ? "critical " : "" );
+			if ( crit ) {
 				return EXIT_FAILURE;
 			}
 		}
diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
index 0c8f1126cf..6d15747cf8 100644
--- a/clients/tools/ldapsearch.c
+++ b/clients/tools/ldapsearch.c
@@ -58,7 +58,7 @@ usage( const char *s )
 "             [!]mv=<filter>              (matched values filter)\n"
 #ifdef LDAP_CONTROL_PAGEDRESULTS
 "             [!]pr=<size>                (paged results)\n"
-#endif /* LDAP_CONTROL_PAGEDRESULTS */
+#endif
 #ifdef LDAP_CONTROL_SUBENTRIES
 "             [!]subentries[=true|false]  (subentries)\n"
 #endif
@@ -80,7 +80,8 @@ usage( const char *s )
 "  -d level   set LDAP debugging level to `level'\n"
 "  -D binddn  bind DN\n"
 "  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
-"             [!]manageDSAit   (alternate form, see -M)\n"
+"             [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n"
+"             [!]manageDSAit       (alternate form, see -M)\n"
 "             [!]noop\n"
 "  -f file    read operations from `file'\n"
 "  -h host    LDAP server\n"
@@ -153,13 +154,6 @@ static int dosearch LDAP_P((
 	struct timeval *timeout,
 	int	sizelimit ));
 
-#ifdef LDAP_CONTROL_PAGEDRESULTS
-static int parse_page_control(
-	LDAP *ld,
-	LDAPMessage *result,
-	struct berval *cookie );
-#endif /* LDAP_CONTROL_PAGEDRESULTS */
-
 static char *tmpdir = NULL;
 static char *urlpre = NULL;
 static char *prog = NULL;
@@ -180,9 +174,10 @@ static char	*sasl_secprops = NULL;
 static int	use_tls = 0;
 static char	*sortattr = NULL;
 static int	verbose, not, includeufn, vals2tmp, ldif;
+
 #ifdef LDAP_CONTROL_PAGEDRESULTS
-static int pageSize = 0;
-static ber_int_t searchControlSize = 0;
+static int pagedResults = 0;
+static ber_int_t pageSize = 0;
 static ber_int_t entriesLeft = 0;
 static ber_int_t morePagedResults = 1;
 static struct berval cookie = { 0, NULL };
@@ -191,6 +186,11 @@ static int npagedentries;
 static int npagedreferences;
 static int npagedextended;
 static int npagedpartial;
+
+static int parse_page_control(
+	LDAP *ld,
+	LDAPMessage *result,
+	struct berval *cookie );
 #endif /* LDAP_CONTROL_PAGEDRESULTS */
 
 static void
@@ -217,13 +217,14 @@ main( int argc, char **argv )
 	LDAP		*ld = NULL;
 	int		subentries, valuesReturnFilter;
 	BerElement	*ber = NULL;
-	struct berval 	*bvalp = NULL;
-	char	*vrFilter  = NULL, *control = NULL, *cvalue;
+	struct berval 	*sebvalp = NULL, *vrbvalp = NULL;
+	char	*vrFilter  = NULL;
+	char	*control = NULL, *cvalue;
 	char	*pw_file = NULL;
+	char	*authzid = NULL;
 #ifdef LDAP_CONTROL_PAGEDRESULTS
-	BerElement	*pageber = NULL;
-	struct berval	*bvalptr = NULL;
-	int		num = 0, searchControlCrit = 0;
+	struct berval	*prbvalp = NULL;
+	int		num = 0;
 #endif /* LDAP_CONTROL_PAGEDRESULTS */
 
 
@@ -336,20 +337,21 @@ main( int argc, char **argv )
 
 #ifdef LDAP_CONTROL_PAGEDRESULTS
 		} else if ( strcasecmp( control, "pr" ) == 0 ) {
+			int tmp;
 			/* PagedResults control */
-			if ( pageSize != 0 ) {
+			if ( pagedResults != 0 ) {
 				fprintf( stderr, "PagedResultsControl previously specified" );
 				return EXIT_FAILURE;
 			}
 			
-			num = sscanf( cvalue, "%d", &pageSize );
+			num = sscanf( cvalue, "%d", &tmp );
 			if ( num != 1 ) {
 				fprintf( stderr, "Invalid value for PagedResultsControl, %s.\n", cvalue);
 				return EXIT_FAILURE;
 
 			}
-			searchControlSize = (ber_int_t)pageSize;
-			searchControlCrit = crit;
+			pageSize = (ber_int_t) tmp;
+			pagedResults = 1 + crit;
 			break;
 #endif /* LDAP_CONTROL_PAGEDRESULTS */
 
@@ -476,7 +478,6 @@ main( int argc, char **argv )
 			}
 
 			manageDSAit = 1 + crit;
-			free( control );
 			break;
 			
 		} else if ( strcasecmp( control, "noop" ) == 0 ) {
@@ -491,7 +492,6 @@ main( int argc, char **argv )
 			}
 
 			noop = 1 + crit;
-			free( control );
 			break;
 
 		} else {
@@ -1026,53 +1026,52 @@ main( int argc, char **argv )
 
 #ifdef LDAP_CONTROL_PAGEDRESULTS
 getNextPage:
-	if ( manageDSAit || noop || valuesReturnFilter || pageSize ) {
-		int critical = 0;
-#else /* !LDAP_CONTROL_PAGEDRESULTS */
-	if ( manageDSAit || noop || valuesReturnFilter ) {
-#endif /* !LDAP_CONTROL_PAGEDRESULTS */
+	if ( manageDSAit || noop || subentries || valuesReturnFilter || pageSize )
+#else
+	if ( manageDSAit || noop || subentries || valuesReturnFilter )
+#endif
+	{
 		int err;
 		int i=0;
-		LDAPControl c1,c2,c3,c4,c5;
-		LDAPControl *ctrls[6];
+		int crit = 0;
+		LDAPControl c[6];
+		LDAPControl *ctrls[7];
 		
+		if ( authzid ) {
+			c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+			c[i].ldctl_value.bv_val = authzid;
+			c[i].ldctl_value.bv_len = strlen( authzid );
+			c[i].ldctl_iscritical = 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
+		}
+
 		if ( manageDSAit ) {
-			ctrls[i++]=&c1;
-			ctrls[i] = NULL;
+			c[i].ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = manageDSAit > 1;
 
-			c1.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
-			c1.ldctl_value.bv_val = NULL;
-			c1.ldctl_value.bv_len = 0;
-			c1.ldctl_iscritical = manageDSAit > 1;
-#ifdef LDAP_CONTROL_PAGEDRESULTS
-			if ( c1.ldctl_iscritical ) critical = 1;
-#endif /* LDAP_CONTROL_PAGEDRESULTS */
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 		if ( noop ) {
-			ctrls[i++] = &c2;
-			ctrls[i] = NULL;
+			c[i].ldctl_oid = LDAP_CONTROL_NOOP;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = noop > 1;
 
-			c2.ldctl_oid = LDAP_CONTROL_NOOP;
-			c2.ldctl_value.bv_val = NULL;
-			c2.ldctl_value.bv_len = 0;
-			c2.ldctl_iscritical = noop > 1;
-#ifdef LDAP_CONTROL_PAGEDRESULTS
-			if ( c2.ldctl_iscritical ) critical = 1;
-#endif /* LDAP_CONTROL_PAGEDRESULTS */
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 #ifdef LDAP_CONTROL_SUBENTRIES
 		if ( subentries ) {
-			ctrls[i++]=&c3;
-			ctrls[i] = NULL;
-
-			c3.ldctl_oid = LDAP_CONTROL_SUBENTRIES;
-			c3.ldctl_iscritical = subentries < 1;
-#ifdef LDAP_CONTROL_PAGEDRESULTS
-			if ( c3.ldctl_iscritical ) critical = 1;
-#endif /* LDAP_CONTROL_PAGEDRESULTS */
-		    
 	        if (( ber = ber_alloc_t(LBER_USE_DER)) == NULL ) {
 				return EXIT_FAILURE;
 			}
@@ -1084,24 +1083,21 @@ getNextPage:
 				return EXIT_FAILURE;
 			}
 
-			if ( ber_flatten( ber, &bvalp ) == LBER_ERROR ) {
+			if ( ber_flatten( ber, &sebvalp ) == LBER_ERROR ) {
 				return EXIT_FAILURE;
 			}
 
-			c3.ldctl_value=(*bvalp);
+			c[i].ldctl_oid = LDAP_CONTROL_SUBENTRIES;
+			c[i].ldctl_value=(*sebvalp);
+			c[i].ldctl_iscritical = subentries < 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 #endif
 
 		if ( valuesReturnFilter ) {
-			ctrls[i++]=&c4;
-			ctrls[i] = NULL;
-
-			c4.ldctl_oid = LDAP_CONTROL_VALUESRETURNFILTER;
-			c4.ldctl_iscritical = valuesReturnFilter > 1;
-#ifdef LDAP_CONTROL_PAGEDRESULTS
-			if ( c4.ldctl_iscritical ) critical = 1;
-#endif /* LDAP_CONTROL_PAGEDRESULTS */
-		    
 	        if (( ber = ber_alloc_t(LBER_USE_DER)) == NULL ) {
 				return EXIT_FAILURE;
 			}
@@ -1112,62 +1108,59 @@ getNextPage:
 				return EXIT_FAILURE;
 			}
 
-			if ( ber_flatten( ber, &bvalp ) == LBER_ERROR ) {
+			if ( ber_flatten( ber, &vrbvalp ) == LBER_ERROR ) {
 				return EXIT_FAILURE;
 			}
 
-			c4.ldctl_value=(*bvalp);
+			ber_free( ber, 1 );
+
+			c[i].ldctl_oid = LDAP_CONTROL_VALUESRETURNFILTER;
+			c[i].ldctl_value=(*vrbvalp);
+			c[i].ldctl_iscritical = valuesReturnFilter > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 #ifdef LDAP_CONTROL_PAGEDRESULTS
-		if ( pageSize ) {
-			if (( pageber = ber_alloc_t(LBER_USE_DER)) == NULL ) {
+		if ( pagedResults ) {
+			if (( ber = ber_alloc_t(LBER_USE_DER)) == NULL ) {
 				return EXIT_FAILURE;
 			}
 
-			ber_printf( pageber, "{iO}", searchControlSize, &cookie );
-			if ( ber_flatten( pageber, &bvalptr ) == LBER_ERROR) {
+			ber_printf( ber, "{iO}", pageSize, &cookie );
+			if ( ber_flatten( ber, &prbvalp ) == LBER_ERROR ) {
 				return EXIT_FAILURE;
 			}
 			
-			ctrls[i++]=&c5;
-			ctrls[i] = NULL;
+			ber_free( ber, 1 );
 
-			c5.ldctl_oid = LDAP_CONTROL_PAGEDRESULTS;
-			c5.ldctl_value = ( *bvalptr );
-			c5.ldctl_iscritical = searchControlCrit;
-			if ( c5.ldctl_iscritical ) critical = 1;
+			c[i].ldctl_oid = LDAP_CONTROL_PAGEDRESULTS;
+			c[i].ldctl_value=(*prbvalp);
+			c[i].ldctl_iscritical = pagedResults > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 #endif /* LDAP_CONTROL_PAGEDRESULTS */
 
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
 
-		ber_bvfree(bvalp);
-		ber_free( ber, 1 );
-#ifdef LDAP_CONTROL_PAGEDRESULTS
-		ber_free( pageber, 1 );
-		ber_bvfree( bvalptr );
-#endif /* LDAP_CONTROL_PAGEDRESULTS */
-
-#ifdef LDAP_CONTROL_PAGEDRESULTS
-		if( err != LDAP_OPT_SUCCESS ) {
-			if ( critical ) {
-				fprintf( stderr, "Could not set controls\n");
-				return EXIT_FAILURE;
-			} else {
-				fprintf( stderr, "Could not set critical controls\n" );
-			}
-		}
-#else /* !LDAP_CONTROL_PAGEDRESULTS */
 		if( err != LDAP_OPT_SUCCESS ) {
 			fprintf( stderr, "Could not set %scontrols\n",
-				(c1.ldctl_iscritical || c2.ldctl_iscritical)
-				? "critical " : "" );
-			if( c1.ldctl_iscritical && c2.ldctl_iscritical ) {
+				crit ? "critical " : "" );
+			if( crit ) {
 				return EXIT_FAILURE;
 			}
 		}
-#endif /* !LDAP_CONTROL_PAGEDRESULTS */
+
+		ber_bvfree( sebvalp );
+		ber_bvfree( vrbvalp );
+#ifdef LDAP_CONTROL_PAGEDRESULTS
+		ber_bvfree( prbvalp );
+#endif /* LDAP_CONTROL_PAGEDRESULTS */
 	}
 	
 	if ( verbose ) {
@@ -1230,8 +1223,8 @@ getNextPage:
 		}
 		if ( pageSize ) {
 			printf("\n# with pagedResults %scontrol: size=%d",
-				searchControlCrit ? "critical " : "", 
-				searchControlSize );
+				(pagedResults > 1) ? "critical " : "", 
+				pageSize );
 		}
 
 		printf( "\n#\n\n" );
@@ -1271,7 +1264,7 @@ getNextPage:
 			printf( "Estimate entries: %d\n", entriesLeft );
 		}
 		printf( "Press [size] Enter for the next {%d|size} entries.\n",
-			(int)searchControlSize ); 
+			(int)pageSize ); 
 		i = 0;
 		moreEntries = getchar();
 		while ( moreEntries != EOF && moreEntries != '\n' ) { 
@@ -1290,7 +1283,7 @@ getNextPage:
 				return EXIT_FAILURE;
 
 			}
-			searchControlSize = (ber_int_t)tmpSize;
+			pageSize = (ber_int_t)tmpSize;
 		}
 
 		goto getNextPage;	
@@ -1429,15 +1422,7 @@ static int dosearch(
 
 done:
 #ifdef LDAP_CONTROL_PAGEDRESULTS
-	if ( pageSize == 0 ) { 
-		if ( ldif < 2 ) {
-			printf( "\n# numResponses: %d\n", nresponses );
-			if( nentries ) printf( "# numEntries: %d\n", nentries );
-			if( nextended ) printf( "# numExtended: %d\n", nextended );
-			if( npartial ) printf( "# numPartial: %d\n", npartial );
-			if( nreferences ) printf( "# numReferences: %d\n", nreferences );
-		}
-	} else {
+	if ( pageSize != 0 ) { 
 		npagedresponses = npagedresponses + nresponses;
 		npagedentries = npagedentries + nentries;
 		npagedreferences = npagedreferences + nreferences;
@@ -1450,8 +1435,8 @@ done:
 			if( npartial ) printf( "# numPartial: %d\n", npagedpartial );
 			if( nreferences ) printf( "# numReferences: %d\n", npagedreferences );
 		}
-	}
-#else /* !LDAP_CONTROL_PAGEDRESULTS */
+	} else
+#endif /* LDAP_CONTROL_PAGEDRESULTS */
 	if ( ldif < 2 ) {
 		printf( "\n# numResponses: %d\n", nresponses );
 		if( nentries ) printf( "# numEntries: %d\n", nentries );
@@ -1459,12 +1444,11 @@ done:
 		if( npartial ) printf( "# numPartial: %d\n", npartial );
 		if( nreferences ) printf( "# numReferences: %d\n", nreferences );
 	}
-#endif /* LDAP_CONTROL_PAGEDRESULTS */
 
 	return( rc );
 }
 
-#if 1
+#if 0
 /* This is the original version, the old way of doing things. */
 static void
 print_entry(
@@ -1574,7 +1558,7 @@ print_entry(
 }
 #else
 /* This is the proposed new way of doing things.
- * It is more * efficient, but the API is non-standard.
+ * It is more efficient, but the API is non-standard.
  */
 static void
 print_entry(
@@ -2019,4 +2003,3 @@ parse_page_control(
 	return err;
 }
 #endif /* LDAP_CONTROL_PAGEDRESULTS */
-
diff --git a/clients/tools/ldapwhoami.c b/clients/tools/ldapwhoami.c
index 054ef2caee..7cdbe998bd 100644
--- a/clients/tools/ldapwhoami.c
+++ b/clients/tools/ldapwhoami.c
@@ -35,6 +35,7 @@ usage(const char *s)
 "  -d level   set LDAP debugging level to `level'\n"
 "  -D binddn  bind DN\n"
 "  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
+"             [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n"
 "             [!]manageDSAit   (alternate form, see -M)\n"
 "             [!]noop\n"
 "  -f file    read operations from `file'\n"
@@ -95,6 +96,7 @@ main( int argc, char *argv[] )
 	LDAP	       *ld = NULL;
 	int	manageDSAit=0;
 	int noop=0;
+	char *authzid = NULL;
 	char	*control, *cvalue;
 	int		crit;
 
@@ -185,7 +187,6 @@ main( int argc, char *argv[] )
 			}
 
 			manageDSAit = 1 + crit;
-			free( control );
 			break;
 			
 		} else if ( strcasecmp( control, "noop" ) == 0 ) {
@@ -200,7 +201,6 @@ main( int argc, char *argv[] )
 			}
 
 			noop = 1 + crit;
-			free( control );
 			break;
 
 		} else {
@@ -671,42 +671,59 @@ main( int argc, char *argv[] )
 		goto skip;
 	}
 
-	if ( manageDSAit || noop ) {
-		int err, i = 0;
-		LDAPControl c1, c2;
-		LDAPControl *ctrls[3];
+	if ( authzid || manageDSAit || noop ) {
+		int err, crit=0, i=0;
+		LDAPControl c[3];
+		LDAPControl *ctrls[4];
+
+		if ( authzid ) {
+			c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+			c[i].ldctl_value.bv_val = authzid;
+			c[i].ldctl_value.bv_len = strlen( authzid );
+			c[i].ldctl_iscritical = 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
+		}
 
 		if ( manageDSAit ) {
-			ctrls[i++] = &c1;
-			ctrls[i] = NULL;
-			c1.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
-			c1.ldctl_value.bv_val = NULL;
-			c1.ldctl_value.bv_len = 0;
-			c1.ldctl_iscritical = manageDSAit > 1;
+			c[i].ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = manageDSAit > 1;
+
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 
 		if ( noop ) {
-			ctrls[i++] = &c2;
-			ctrls[i] = NULL;
+			c[i].ldctl_oid = LDAP_CONTROL_NOOP;
+			c[i].ldctl_value.bv_val = NULL;
+			c[i].ldctl_value.bv_len = 0;
+			c[i].ldctl_iscritical = noop > 1;
 
-			c2.ldctl_oid = LDAP_CONTROL_NOOP;
-			c2.ldctl_value.bv_val = NULL;
-			c2.ldctl_value.bv_len = 0;
-			c2.ldctl_iscritical = noop > 1;
+			if( c[i].ldctl_iscritical ) crit++;
+			ctrls[i] = &c[i];
+			ctrls[++i] = NULL;
 		}
 	
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
 			fprintf( stderr, "Could not set %scontrols\n",
-				(c1.ldctl_iscritical || c2.ldctl_iscritical)
-				? "critical " : "" );
-			if ( c1.ldctl_iscritical && c2.ldctl_iscritical ) {
+				crit ? "critical " : "" );
+			if ( crit ) {
 				return EXIT_FAILURE;
 			}
 		}
 	}
 
+#if 1
+	rc = ldap_whoami_s( ld, &retdata, NULL, NULL ); 
+
+#else
 	rc = ldap_extended_operation( ld,
 		LDAP_EXOP_X_WHO_AM_I, NULL, 
 		NULL, NULL, &id );
@@ -731,6 +748,7 @@ main( int argc, char *argv[] )
 	}
 
 	rc = ldap_parse_extended_result( ld, res, &retoid, &retdata, 1 );
+#endif
 
 	if( rc != LDAP_SUCCESS ) {
 		ldap_perror( ld, "ldap_parse_result" );
diff --git a/include/ldap.h b/include/ldap.h
index d2dd256d2c..e8b63f48c4 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -189,6 +189,7 @@ typedef struct ldapcontrol {
 #define LDAP_CHASE_EXTERNAL_REFERRALS	0x0040U
 #endif
 
+#define LDAP_CONTROL_PROXY_AUTHZ	"2.16.840.1.113730.3.4.18"
 #define LDAP_CONTROL_MANAGEDSAIT	"2.16.840.1.113730.3.4.2"
 #define LDAP_CONTROL_SUBENTRIES		"1.3.6.1.4.1.4203.1.10.1"
 #define LDAP_CONTROL_NOOP			"1.3.6.1.4.1.4203.1.10.2"
@@ -231,6 +232,7 @@ typedef struct ldapcontrol {
 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW	((ber_tag_t) 0x82U)
 #define LDAP_TAG_EXOP_MODIFY_PASSWD_GEN	((ber_tag_t) 0x80U)
 
+#define LDAP_EXOP_X_CANCEL		"1.3.6.1.4.1.4203.666.6.3"
 #define LDAP_EXOP_X_WHO_AM_I	"1.3.6.1.4.1.4203.1.11.3"
 
 /* LDAP Features */
@@ -864,6 +866,24 @@ LDAP_F( void )
 ldap_uncache_request LDAP_P(( LDAP *ld, int msgid ));
 
 
+/*
+ * LDAP Cancel Extended Operation <draft-zeilenga-ldap-cancel-xx.txt>
+ */
+
+LDAP_F( int )
+ldap_cancel LDAP_P(( LDAP *ld,
+	int cancelid,
+	LDAPControl		**sctrls,
+	LDAPControl		**cctrls,
+	int				*msgidp ));
+
+LDAP_F( int )
+ldap_cancel_s LDAP_P((
+	LDAP *ld,
+	int cancelid,
+	LDAPControl **sctrl,
+	LDAPControl **cctrl ));
+
 /*
  * in compare.c:
  */
@@ -1643,6 +1663,28 @@ ldap_parse_vlv_control LDAP_P((
 	struct berval **contextp,
 	int           *errcodep ));
 
+/*
+ * LDAP Who Am I? (whoami.c)
+ */
+
+LDAP_F( int )
+ldap_parse_whoami LDAP_P((
+	LDAP *ld,
+	LDAPMessage *res,
+	struct berval **authzid ));
+
+LDAP_F( int )
+ldap_whoami LDAP_P(( LDAP *ld,
+	LDAPControl		**sctrls,
+	LDAPControl		**cctrls,
+	int				*msgidp ));
+
+LDAP_F( int )
+ldap_whoami_s LDAP_P((
+	LDAP *ld,
+	struct berval **authzid,
+	LDAPControl **sctrls,
+	LDAPControl **cctrls ));
 
 LDAP_END_DECL
 #endif /* _LDAP_H */
diff --git a/libraries/liblber/decode.c b/libraries/liblber/decode.c
index e69bb496fa..411bb6eeb4 100644
--- a/libraries/liblber/decode.c
+++ b/libraries/liblber/decode.c
@@ -619,13 +619,6 @@ ber_scanf ( BerElement *ber,
 	va_list		ap;
 	LDAP_CONST char		*fmt_reset;
 	char		*s, **ss;
-#ifdef TMP_SLOTS
-	char		*last;
-	char ***sss;
-	ber_tag_t tag;
-	struct berval ***bv;
-	int j;
-#endif
 	struct berval	**bvp, *bval;
 	ber_int_t	*i;
 	ber_len_t	*l;
diff --git a/libraries/libldap/libldap.dsp b/libraries/libldap/libldap.dsp
index 9bae2d963e..c457cd9c1c 100644
--- a/libraries/libldap/libldap.dsp
+++ b/libraries/libldap/libldap.dsp
@@ -147,6 +147,10 @@ SOURCE=.\cache.c
 # End Source File
 # Begin Source File
 
+SOURCE=.\cancel.c
+# End Source File
+# Begin Source File
+
 SOURCE=.\charray.c
 # End Source File
 # Begin Source File
@@ -283,6 +287,10 @@ SOURCE=".\os-ip.c"
 # End Source File
 # Begin Source File
 
+SOURCE=.\passwd.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\..\include\portable.h
 # End Source File
 # Begin Source File
@@ -357,5 +365,9 @@ SOURCE=".\util-int.c"
 
 SOURCE=.\vlvctrl.c
 # End Source File
+# Begin Source File
+
+SOURCE=.\whoami.c
+# End Source File
 # End Target
 # End Project
diff --git a/libraries/libldap/passwd.c b/libraries/libldap/passwd.c
new file mode 100644
index 0000000000..d2d32b58a5
--- /dev/null
+++ b/libraries/libldap/passwd.c
@@ -0,0 +1,151 @@
+/* $OpenLDAP$ */
+/*
+ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "portable.h"
+
+#include <stdio.h>
+#include <ac/stdlib.h>
+#include <ac/string.h>
+#include <ac/time.h>
+
+#include "ldap-int.h"
+
+/*
+ * LDAP Password Modify (Extended) Operation <RFC 3???>
+ */
+
+int ldap_parse_passwd(
+	LDAP *ld,
+	LDAPMessage *res,
+	struct berval **newpasswd )
+{
+	int rc;
+	char *retoid = NULL;
+	struct berval *retdata;
+
+	assert( ld != NULL );
+	assert( LDAP_VALID( ld ) );
+	assert( res != NULL );
+	assert( newpasswd != NULL );
+
+	*newpasswd = NULL;
+
+	rc = ldap_parse_extended_result( ld, res, &retoid, &retdata, 0 );
+
+	if( rc != LDAP_SUCCESS ) {
+		return rc;
+	}
+
+	if( retdata != NULL ) {
+		ber_tag_t tag;
+		BerElement *ber = ber_init( retdata );
+
+		if( ber == NULL ) {
+			ld->ld_errno = LDAP_NO_MEMORY;
+			return ld->ld_errno;
+		}
+
+		/* we should check the tag */
+		tag = ber_scanf( ber, "{o}", newpasswd );
+		ber_free( ber, 1 );
+
+		if( tag == -1 ) {
+			rc = ld->ld_errno = LDAP_DECODING_ERROR;
+		}
+	}
+
+	ber_memfree( retoid );
+	return rc;
+}
+
+int
+ldap_passwd( LDAP *ld,
+	struct berval	*user,
+	struct berval	*oldpw,
+	struct berval	*newpw,
+	LDAPControl		**sctrls,
+	LDAPControl		**cctrls,
+	int				*msgidp )
+{
+	int rc;
+	struct berval *bv = NULL;
+
+	assert( ld != NULL );
+	assert( LDAP_VALID( ld ) );
+	assert( msgidp != NULL );
+
+	if( user != NULL || oldpw != NULL || newpw != NULL ) {
+		/* build change password control */
+		BerElement *ber = ber_alloc_t( LBER_USE_DER );
+
+		if( ber == NULL ) {
+			ld->ld_errno = LDAP_NO_MEMORY;
+			return ld->ld_errno;
+		}
+
+		ber_printf( ber, "{" /*}*/ );
+
+		if( user != NULL ) {
+			ber_printf( ber, "ts",
+				LDAP_TAG_EXOP_MODIFY_PASSWD_ID, user );
+		}
+
+		if( oldpw != NULL ) {
+			ber_printf( ber, "ts",
+				LDAP_TAG_EXOP_MODIFY_PASSWD_OLD, oldpw );
+		}
+
+		if( newpw != NULL ) {
+			ber_printf( ber, "ts",
+				LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, newpw );
+		}
+
+		ber_printf( ber, /*{*/ "N}" );
+
+		rc = ber_flatten( ber, &bv );
+
+		ber_free( ber, 1 );
+
+		if( rc < 0 ) {
+			ld->ld_errno = LDAP_ENCODING_ERROR;
+			return ld->ld_errno;
+		}
+
+	}
+	
+	rc = ldap_extended_operation( ld, LDAP_EXOP_MODIFY_PASSWD,
+		bv, sctrls, cctrls, msgidp );
+
+	return rc;
+}
+
+int
+ldap_passwd_s(
+	LDAP *ld,
+	struct berval	*user,
+	struct berval	*oldpw,
+	struct berval	*newpw,
+	struct berval **newpasswd,
+	LDAPControl **sctrls,
+	LDAPControl **cctrls )
+{
+	int		rc;
+	int		msgid;
+	LDAPMessage	*res;
+
+	rc = ldap_passwd( ld, user, oldpw, newpw, sctrls, cctrls, &msgid );
+	if ( rc != LDAP_SUCCESS ) {
+		return rc;
+	}
+
+	if ( ldap_result( ld, msgid, 1, (struct timeval *) NULL, &res ) == -1 ) {
+		return ld->ld_errno;
+	}
+
+	rc = ldap_parse_passwd( ld, res, newpasswd );
+	ldap_msgfree( res );
+	return rc;
+}
diff --git a/libraries/libldap/whoami.c b/libraries/libldap/whoami.c
new file mode 100644
index 0000000000..3ad13869c9
--- /dev/null
+++ b/libraries/libldap/whoami.c
@@ -0,0 +1,85 @@
+/* $OpenLDAP$ */
+/*
+ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "portable.h"
+
+#include <stdio.h>
+#include <ac/stdlib.h>
+#include <ac/string.h>
+#include <ac/time.h>
+
+#include "ldap-int.h"
+
+/*
+ * LDAP Who Am I? (Extended) Operation <draft-zeilenga-ldap-authzid-xx.txt>
+ */
+
+int ldap_parse_whoami(
+	LDAP *ld,
+	LDAPMessage *res,
+	struct berval **authzid )
+{
+	int rc;
+	char *retoid = NULL;
+
+	assert( ld != NULL );
+	assert( LDAP_VALID( ld ) );
+	assert( res != NULL );
+	assert( authzid != NULL );
+
+	*authzid = NULL;
+
+	rc = ldap_parse_extended_result( ld, res, &retoid, authzid, 0 );
+
+	if( rc != LDAP_SUCCESS ) {
+		ldap_perror( ld, "ldap_parse_whoami" );
+		return rc;
+	}
+
+	ber_memfree( retoid );
+	return rc;
+}
+
+int
+ldap_whoami( LDAP *ld,
+	LDAPControl		**sctrls,
+	LDAPControl		**cctrls,
+	int				*msgidp )
+{
+	int rc;
+
+	assert( ld != NULL );
+	assert( LDAP_VALID( ld ) );
+	assert( msgidp != NULL );
+
+	rc = ldap_extended_operation( ld, LDAP_EXOP_X_WHO_AM_I,
+		NULL, sctrls, cctrls, msgidp );
+
+	return rc;
+}
+
+int
+ldap_whoami_s(
+	LDAP *ld,
+	struct berval **authzid,
+	LDAPControl **sctrls,
+	LDAPControl **cctrls )
+{
+	int		rc;
+	int		msgid;
+	LDAPMessage	*res;
+
+	rc = ldap_whoami( ld, sctrls, cctrls, &msgid );
+	if ( rc != LDAP_SUCCESS ) return rc;
+
+	if ( ldap_result( ld, msgid, 1, (struct timeval *) NULL, &res ) == -1 ) {
+		return ld->ld_errno;
+	}
+
+	rc = ldap_parse_whoami( ld, res, authzid );
+	ldap_msgfree( res );
+	return rc;
+}
-- 
2.39.5