From 2c1fb010abc5c09c88c89d5120b5b236cd2d32da Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Mon, 29 Dec 2003 19:41:55 +0000
Subject: [PATCH] Sync with HEAD

---
 doc/man/man5/slapd-ldap.5       |  30 +++++
 doc/man/man5/slapd.access.5     |  25 +++-
 include/ldap.h                  |   7 -
 servers/slapd/acl.c             |  69 +++++++++-
 servers/slapd/ad.c              |  55 +++++++-
 servers/slapd/back-bdb/search.c |   2 +
 servers/slapd/backend.c         |   6 +-
 servers/slapd/backglue.c        |   6 +-
 servers/slapd/controls.c        |  22 ++-
 servers/slapd/repl.c            | 231 +++++++++++++++++++-------------
 servers/slapd/result.c          |   2 +-
 servers/slapd/saslauthz.c       |   9 +-
 servers/slapd/schema_init.c     |  98 +++++++-------
 servers/slapd/search.c          |   6 +-
 servers/slapd/sessionlog.c      |   2 +
 servers/slapd/slap.h            |  21 +--
 servers/slapd/slapi/TODO        |   4 +-
 servers/slapd/slapi/slapi_ops.c |   1 +
 18 files changed, 412 insertions(+), 184 deletions(-)

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index b3949472eb..53f5b4886b 100644
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -33,9 +33,13 @@ Other database options are described in the
 manual page.
 .LP
 Note: It is strongly recommended to set
+.LP
 .RS
+.nf
 lastmod  off
+.fi
 .RE
+.LP
 for every
 .B ldap
 and
@@ -68,6 +72,32 @@ check permissions.
 .B bindpw <password>
 Password used with the bind DN above.
 .TP
+.B proxyauthzdn "<administrative DN for proxyAuthz purposes>"
+DN which is used to propagate the client's identity to the target
+by means of the proxyAuthz control when the client does not
+belong to the DIT fragment that is being proxyied by back-ldap.
+This is useful when operations performed by users bound to another 
+backend are propagated through back-ldap.
+This requires the entry with 
+.B proxyauthzdn 
+identity on the remote server to have
+.B proxyAuthz
+privileges on a wide set of DNs, e.g.
+.BR saslAuthzTo=dn.regex:.* ,
+and the remote server to have
+.B sasl-authz-policy
+set to 
+.B to
+or 
+.BR both .
+See 
+.BR slapd.conf (5)
+for details on these statements and for remarks and drawbacks about
+their usage.
+.TP
+.B proxyauthzpw <password>
+Password used with the proxy authz DN above.
+.TP
 .B proxy-whoami
 Turns on proxying of the WhoAmI extended operation. If this option is
 given, back-ldap will replace slapd's original WhoAmI routine with its
diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index 3d0ba4c2e6..19d529b427 100644
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -132,7 +132,11 @@ Actually, names in
 .B <attrlist>
 that are prefixed by
 .B @
-are directly treated as objectClass names.
+are directly treated as objectClass names.  A name prefixed by
+.B !
+is also treated as an objectClass, but in this case the access rule
+affects the attributes that are not required nor allowed 
+by that objectClass.
 .LP
 Using the form
 .B attrs=<attr> val[.<style>]=<value>
@@ -586,6 +590,25 @@ access to the attribute holding the referral information
 (generally the
 .B ref
 attribute).
+.LP
+Some
+.B controls
+require specific access privileges.
+The
+.B proxyAuthz
+control requires
+.B auth (=x)
+privileges on all the attributes that are present in the search filter
+of the URI regexp maps (the right-hand side of the
+.B sasl-regexp
+directives).
+It also requires
+.B auth (=x)
+privileges on the
+.B saslAuthzTo
+attribute of the authorizing identity and/or on the 
+.B saslAuthzFrom
+attribute of the authorized identity.
 .SH CAVEATS
 It is strongly recommended to explicitly use the most appropriate
 .BR <dnstyle> ,
diff --git a/include/ldap.h b/include/ldap.h
index 46b3d5a8d9..8b6615eb23 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -236,13 +236,6 @@ typedef struct ldapcontrol {
 #define LDAP_SYNC_MODIFY				2
 #define LDAP_SYNC_DELETE				3
 
-#if 0
-#define LDAP_CONTROL_DUPENT_REQUEST		"2.16.840.1.113719.1.27.101.1"
-#define LDAP_CONTROL_DUPENT_RESPONSE	"2.16.840.1.113719.1.27.101.2"
-#define LDAP_CONTROL_DUPENT_ENTRY		"2.16.840.1.113719.1.27.101.3"
-#define LDAP_CONTROL_DUPENT	LDAP_CONTROL_DUPENT_REQUEST
-#endif
-
 /* controls for MSAD compatibility */
 #define LDAP_CONTROL_X_DOMAIN_SCOPE			"1.2.840.113556.1.4.1339"
 #define LDAP_CONTROL_X_PERMISSIVE_MODIFY	"1.2.840.113556.1.4.1413"
diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 6a56c98cf9..5133c64ed2 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -672,11 +672,70 @@ acl_mask(
 				"acl_get: val %s\n",
 				a->acl_attrval.bv_val, 0, 0 );
 #endif
-			if (value_match( &match, desc,
-				desc->ad_type->sat_equality, 0,
-				val, &a->acl_attrval, &text ) != LDAP_SUCCESS ||
-					match )
-				return ACL_BREAK;
+
+			if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
+				if (value_match( &match, desc,
+					desc->ad_type->sat_equality, 0,
+					val, &a->acl_attrval, &text ) != LDAP_SUCCESS ||
+						match )
+					return ACL_BREAK;
+				
+			} else {
+				int		patlen, vdnlen, rc, got_match = 0;
+				struct berval	vdn = { 0, NULL };
+
+				/* it is a DN */
+				assert( a->acl_attrs[0].an_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName );
+
+				rc = dnNormalize( 0, NULL, NULL, val, &vdn,
+					       	op->o_tmpmemctx );
+				if ( rc != LDAP_SUCCESS ) {
+					/* error */
+					return ACL_BREAK;
+				}
+
+				patlen = a->acl_attrval.bv_len;
+				vdnlen = vdn.bv_len;
+
+				if ( vdnlen < patlen )
+					goto attrval_cleanup;
+
+				if ( a->acl_dn_style == ACL_STYLE_BASE ) {
+					if ( vdnlen > patlen )
+						goto attrval_cleanup;
+
+				} else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
+					int rdnlen = -1;
+
+					if ( !DN_SEPARATOR( vdn.bv_val[vdnlen - patlen - 1] ) )
+						goto attrval_cleanup;
+
+					rdnlen = dn_rdnlen( NULL, &vdn );
+					if ( rdnlen != vdnlen - patlen - 1 )
+						goto attrval_cleanup;
+
+				} else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
+					if ( vdnlen > patlen && !DN_SEPARATOR( vdn.bv_val[vdnlen - patlen - 1] ) )
+						goto attrval_cleanup;
+
+				} else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
+					if ( vdnlen <= patlen )
+						goto attrval_cleanup;
+
+					if ( !DN_SEPARATOR( vdn.bv_val[vdnlen - patlen - 1] ) )
+						goto attrval_cleanup;
+				}
+
+				got_match = strcmp( a->acl_attrval.bv_val, vdn.bv_val + vdnlen - patlen );
+
+attrval_cleanup:;
+				if ( vdn.bv_val )
+					free( vdn.bv_val );
+
+				if ( !got_match )
+					return ACL_BREAK;
+				
+			}
 		}
 	}
 
diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c
index ec6dd06fd2..f828b8a717 100644
--- a/servers/slapd/ad.c
+++ b/servers/slapd/ad.c
@@ -533,24 +533,67 @@ int ad_inlist(
 		/*
 		 * EXTENSION: see if requested description is @objectClass
 		 * if so, return attributes which the class requires/allows
+		 * else if requested description is !objectClass, return
+		 * attributes which the class does not require/allow
 		 */
 		oc = attrs->an_oc;
 		if( oc == NULL && attrs->an_name.bv_val ) {
 			switch( attrs->an_name.bv_val[0] ) {
 			case '@': /* @objectClass */
 			case '+': /* +objectClass (deprecated) */
-				{
+			case '!': { /* exclude */
 					struct berval ocname;
 					ocname.bv_len = attrs->an_name.bv_len - 1;
 					ocname.bv_val = &attrs->an_name.bv_val[1];
 					oc = oc_bvfind( &ocname );
+					attrs->an_oc_exclude = 0;
+					if ( oc && attrs->an_name.bv_val[0] == '!' ) {
+						attrs->an_oc_exclude = 1;
+					}
 				} break;
+
 			default: /* old (deprecated) way */
 				oc = oc_bvfind( &attrs->an_name );
 			}
 			attrs->an_oc = oc;
 		}
 		if( oc != NULL ) {
+			if ( attrs->an_oc_exclude ) {
+				int gotit = 0;
+
+				if ( oc == slap_schema.si_oc_extensibleObject ) {
+					/* extensibleObject allows the return of anything */
+					return 0;
+				}
+
+				if( oc->soc_required ) {
+					/* allow return of required attributes */
+					int i;
+				
+   					for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
+						for (a = desc->ad_type; a; a=a->sat_sup) {
+							if ( a == oc->soc_required[i] ) {
+								return 0;
+							}
+						}
+					}
+				}
+
+				if( oc->soc_allowed ) {
+					/* allow return of allowed attributes */
+					int i;
+   					for ( i = 0; oc->soc_allowed[i] != NULL; i++ ) {
+						for (a = desc->ad_type; a; a=a->sat_sup) {
+							if ( a == oc->soc_allowed[i] ) {
+								return 0;
+							}
+						}
+					}
+				}
+
+				return 1;
+			}
+			
 			if ( oc == slap_schema.si_oc_extensibleObject ) {
 				/* extensibleObject allows the return of anything */
 				return 1;
@@ -692,7 +735,8 @@ an_find(
  * on to an existing list if it was given.  If the string is not
  * a valid attribute name, if a '-' is prepended it is skipped
  * and the remaining name is tried again; if a '@' (or '+') is
- * prepended, an objectclass name is searched instead.
+ * prepended, an objectclass name is searched instead; if a '!'
+ * is prepended, the objectclass name is negated.
  * 
  * NOTE: currently, if a valid attribute name is not found, the
  * same string is also checked as valid objectclass name; however,
@@ -730,6 +774,7 @@ str2anlist( AttributeName *an, char *in, const char *brkstr )
 	{
 		anew->an_desc = NULL;
 		anew->an_oc = NULL;
+		anew->an_oc_exclude = 0;
 		ber_str2bv(s, 0, 1, &anew->an_name);
 		slap_bv2ad(&anew->an_name, &anew->an_desc, &text);
 		if ( !anew->an_desc ) {
@@ -752,7 +797,7 @@ str2anlist( AttributeName *an, char *in, const char *brkstr )
 
 			case '@':
 			case '+': /* (deprecated) */
-				{
+			case '!': {
 					struct berval ocname;
 					ocname.bv_len = anew->an_name.bv_len - 1;
 					ocname.bv_val = &anew->an_name.bv_val[1];
@@ -766,6 +811,10 @@ str2anlist( AttributeName *an, char *in, const char *brkstr )
 						strcpy( in, s );
 						return NULL;
 					}
+
+					if ( anew->an_name.bv_val[0] == '!' ) {
+						anew->an_oc_exclude = 1;
+					}
 				} break;
 
 			default:
diff --git a/servers/slapd/back-bdb/search.c b/servers/slapd/back-bdb/search.c
index 3d498b7e31..98c23d2309 100644
--- a/servers/slapd/back-bdb/search.c
+++ b/servers/slapd/back-bdb/search.c
@@ -481,6 +481,7 @@ bdb_do_search( Operation *op, SlapReply *rs, Operation *sop,
 
 	null_attr.an_desc = NULL;
 	null_attr.an_oc = NULL;
+	null_attr.an_oc_exclude = 0;
 	null_attr.an_name.bv_len = 0;
 	null_attr.an_name.bv_val = NULL;
 
@@ -493,6 +494,7 @@ bdb_do_search( Operation *op, SlapReply *rs, Operation *sop,
 		attrs = uuid_attr;
 		attrs[0].an_desc = NULL;
 		attrs[0].an_oc = NULL;
+		attrs[0].an_oc_exclude = 0;
 		attrs[0].an_name.bv_len = 0;
 		attrs[0].an_name.bv_val = NULL;
 	}
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index f8867cbdda..e90440a3ca 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1233,14 +1233,14 @@ backend_group(
 							goto loopit;
 						switch(ludp->lud_scope) {
 						case LDAP_SCOPE_BASE:
-							if ( !dn_match(&nbase, op_ndn)) goto loopit;
+							if ( !dn_match( &nbase, op_ndn )) goto loopit;
 							break;
 						case LDAP_SCOPE_ONELEVEL:
 							dnParent(op_ndn, &bv );
-							if ( !dn_match(&nbase, &bv)) goto loopit;
+							if ( !dn_match( &nbase, &bv )) goto loopit;
 							break;
 						case LDAP_SCOPE_SUBTREE:
-							if ( !dnIsSuffix(op_ndn, &nbase)) goto loopit;
+							if ( !dnIsSuffix( op_ndn, &nbase )) goto loopit;
 							break;
 						}
 						filter = str2filter_x( op, ludp->lud_filter );
diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c
index 7a41120a08..95cb74921f 100644
--- a/servers/slapd/backglue.c
+++ b/servers/slapd/backglue.c
@@ -323,14 +323,16 @@ glue_back_search ( Operation *op, SlapReply *rs )
 			}
 			op->o_bd = gi->n[i].be;
 			if (scope0 == LDAP_SCOPE_ONELEVEL && 
-				dn_match(&gi->n[i].pdn, &ndn)) {
+				dn_match(&gi->n[i].pdn, &ndn))
+			{
 				op->ors_scope = LDAP_SCOPE_BASE;
 				op->o_req_dn = op->o_bd->be_suffix[0];
 				op->o_req_ndn = op->o_bd->be_nsuffix[0];
 				rs->sr_err = op->o_bd->be_search(op, rs);
 
 			} else if (scope0 == LDAP_SCOPE_SUBTREE &&
-				dnIsSuffix(&op->o_bd->be_nsuffix[0], &ndn)) {
+				dnIsSuffix(&op->o_bd->be_nsuffix[0], &ndn))
+			{
 				op->o_req_dn = op->o_bd->be_suffix[0];
 				op->o_req_ndn = op->o_bd->be_nsuffix[0];
 				rs->sr_err = op->o_bd->be_search( op, rs );
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 825c80aec8..a5bdde13fc 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -997,10 +997,17 @@ static int parsePreRead (
 	}
 
 	for( i=0; i<siz; i++ ) {
-		const char *dummy;
+		int		rc = LDAP_SUCCESS;
+		const char	*dummy = NULL;
+
 		an[i].an_desc = NULL;
 		an[i].an_oc = NULL;
-		slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
+		an[i].an_oc_exclude = 0;
+		rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
+		if ( rc != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
+			rs->sr_text = dummy ? dummy : "postread control: unknown attributeType";
+			return rc;
+		}
 	}
 
 	op->o_preread = ctrl->ldctl_iscritical
@@ -1046,10 +1053,17 @@ static int parsePostRead (
 	}
 
 	for( i=0; i<siz; i++ ) {
-		const char *dummy;
+		int		rc = LDAP_SUCCESS;
+		const char	*dummy = NULL;
+
 		an[i].an_desc = NULL;
 		an[i].an_oc = NULL;
-		slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
+		an[i].an_oc_exclude = 0;
+		rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
+		if ( rc != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
+			rs->sr_text = dummy ? dummy : "postread control: unknown attributeType";
+			return rc;
+		}
 	}
 
 	op->o_postread = ctrl->ldctl_iscritical
diff --git a/servers/slapd/repl.c b/servers/slapd/repl.c
index ec0f465888..6a54a9bb74 100644
--- a/servers/slapd/repl.c
+++ b/servers/slapd/repl.c
@@ -119,7 +119,7 @@ add_replica_attrs(
 static void
 print_vals( FILE *fp, struct berval *type, struct berval *bv );
 static void
-replog1( struct slap_replica_info *ri, Operation *op, FILE *fp, void *first);
+replog1( struct slap_replica_info *ri, Operation *op, FILE *fp, long now);
 
 void
 replog( Operation *op )
@@ -189,14 +189,10 @@ replog( Operation *op )
 	}
 #endif
 
-	fprintf( fp, "time: %ld\n", now );
-	fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
-
-	replog1( NULL, op, fp, NULL );
+	replog1( NULL, op, fp, now );
 
 	if ( subsets > 0 ) {
-		void *first;
-		for ( i = subsets - 1; op->o_bd->be_replica != NULL && op->o_bd->be_replica[i] != NULL; i++ ) {
+		for ( i = subsets - 1; op->o_bd->be_replica[i] != NULL; i++ ) {
 
 			/* If no attrs, we already did this above */
 			if ( op->o_bd->be_replica[i]->ri_attrs == NULL ) {
@@ -214,63 +210,23 @@ replog( Operation *op )
 				}
 
 				if ( !op->o_bd->be_replica[i]->ri_nsuffix[j].bv_val ) {
-					/* do not add "replica:" line */
+					/* no matching suffix found, skip it */
 					continue;
 				}
 			}
-			subsets = 0;
-			first = NULL;
 			switch( op->o_tag ) {
 			case LDAP_REQ_EXTENDED:
 				/* quick hack for extended operations */
-				/* assume change parameter is a Modfications* */
+				/* assume change parameter is a Modifications* */
 				/* fall thru */
 			case LDAP_REQ_MODIFY:
-				for ( ml = op->orm_modlist; ml != NULL; ml = ml->sml_next ) {
-					int is_in, exclude;
-
-   					is_in = ad_inlist( ml->sml_desc, op->o_bd->be_replica[i]->ri_attrs );
-					exclude = op->o_bd->be_replica[i]->ri_exclude;
-					
-					/*
-					 * there might be a more clever way to do this test,
-					 * but this way, at least, is comprehensible :)
-					 */
-					if ( ( is_in && !exclude ) || ( !is_in && exclude ) ) {
-						subsets = 1;
-						first = ml;
-						break;
-					}
-				}
-				if ( !subsets ) {
-					continue;
-				}
-				break;
 			case LDAP_REQ_ADD:
-				for ( a = op->ora_e->e_attrs; a != NULL; a = a->a_next ) {
-					int is_in, exclude;
-
-   					is_in = ad_inlist( a->a_desc, op->o_bd->be_replica[i]->ri_attrs );
-					exclude = op->o_bd->be_replica[i]->ri_exclude;
-					
-					if ( ( is_in && !exclude ) || ( !is_in && exclude ) ) {
-						subsets = 1;
-						first = a;
-						break;
-					}
-				}
-				if ( !subsets ) {
-					continue;
-				}
 				break;
 			default:
 				/* Other operations were logged in the first pass */
 				continue;
 			}
-			fprintf( fp, "replica: %s\n", op->o_bd->be_replica[i]->ri_host );
-			fprintf( fp, "time: %ld\n", now );
-			fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
-			replog1( op->o_bd->be_replica[i], op, fp, first );
+			replog1( op->o_bd->be_replica[i], op, fp, now );
 		}
 	}
 
@@ -278,29 +234,60 @@ replog( Operation *op )
 	ldap_pvt_thread_mutex_unlock( &replog_mutex );
 }
 
+static void
+rephdr(
+	struct slap_replica_info *ri,
+	Operation *op,
+	FILE *fp,
+	long now
+)
+{
+	if ( ri ) {
+		fprintf( fp, "replica: %s\n", ri->ri_host );
+	}
+	fprintf( fp, "time: %ld\n", now );
+	fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
+}
 
 static void
 replog1(
-    struct slap_replica_info *ri,
-    Operation *op,
-    FILE	*fp,
-	void	*first
+	struct slap_replica_info *ri,
+	Operation *op,
+	FILE	*fp,
+	long	now
 )
 {
 	Modifications	*ml;
 	Attribute	*a;
+	AttributeName	*an;
+	int		dohdr = 1, ocs = -1;
+	struct berval vals[2];
+
+	vals[1].bv_val = NULL;
+	vals[1].bv_len = 0;
 
 	switch ( op->o_tag ) {
 	case LDAP_REQ_EXTENDED:
 		/* quick hack for extended operations */
-		/* assume change parameter is a Modfications* */
+		/* assume change parameter is a Modifications* */
 		/* fall thru */
 
 	case LDAP_REQ_MODIFY:
-		fprintf( fp, "changetype: modify\n" );
-		ml = first ? first : op->orm_modlist;
-		for ( ; ml != NULL; ml = ml->sml_next ) {
-			char *type;
+		for ( ml = op->orm_modlist; ml != NULL; ml = ml->sml_next ) {
+			char *did, *type = ml->sml_desc->ad_cname.bv_val;
+			switch ( ml->sml_op ) {
+			case LDAP_MOD_ADD:
+				did = "add"; break;
+
+			case LDAP_MOD_DELETE:
+				did = "delete"; break;
+
+			case LDAP_MOD_REPLACE:
+				did = "replace"; break;
+
+			case LDAP_MOD_INCREMENT:
+				did = "increment"; break;
+			}
 			if ( ri && ri->ri_attrs ) {
 				int is_in = ad_inlist( ml->sml_desc, ri->ri_attrs );
 
@@ -309,25 +296,67 @@ replog1(
 				{
 					continue;
 				}
-			}
-			type = ml->sml_desc->ad_cname.bv_val;
-			switch ( ml->sml_op ) {
-			case LDAP_MOD_ADD:
-				fprintf( fp, "add: %s\n", type );
-				break;
-
-			case LDAP_MOD_DELETE:
-				fprintf( fp, "delete: %s\n", type );
-				break;
-
-			case LDAP_MOD_REPLACE:
-				fprintf( fp, "replace: %s\n", type );
-				break;
+				/* If this is objectClass, see if the value is included
+				 * in any subset, otherwise drop it.
+				 */
+				if ( ocs && ml->sml_desc == slap_schema.si_ad_objectClass
+					&& ml->sml_bvalues ) {
+					int i, first = 1;
+
+					if ( ocs == -1 ) ocs = 0;
+
+					for ( i=0; ml->sml_bvalues[i].bv_val; i++ ) {
+						int match = 0;
+						for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
+							if ( an->an_oc ) {
+								ocs = 1;
+								match |= an->an_oc_exclude;
+								if ( ml->sml_bvalues[i].bv_len == an->an_name.bv_len
+									&& !strcasecmp(ml->sml_bvalues[i].bv_val,
+										an->an_name.bv_val ) ) {
+									match = !an->an_oc_exclude;
+									break;
+								}
+							}
+						}
+						/* Objectclasses need no special treatment, drop into
+						 * regular processing
+						 */
+						if ( !ocs ) break;
+
+						match ^= ri->ri_exclude;
+						/* Found a match, log it */
+						if ( match ) {
+							if ( dohdr ) {
+								rephdr( ri, op, fp, now );
+								fprintf( fp, "changetype: modify\n" );
+								dohdr = 0;
+							}
+							if ( first ) {
+								fprintf( fp, "%s: %s\n", did, type );
+								first = 0;
+							}
+							vals[0] = an->an_name;
+							print_vals( fp, &ml->sml_desc->ad_cname, vals );
+							ocs = 2;
+						}
 
-			case LDAP_MOD_INCREMENT:
-				fprintf( fp, "increment: %s\n", type );
-				break;
+					}
+					/* Explicit objectclasses have been handled already */
+					if ( ocs ) {
+						if ( ocs == 2 ) {
+							fprintf( fp, "-\n" );
+						}
+						continue;
+					}
+				}
+			}
+			if ( dohdr ) {
+				rephdr( ri, op, fp, now );
+				fprintf( fp, "changetype: modify\n" );
+				dohdr = 0;
 			}
+			fprintf( fp, "%s: %s\n", did, type );
 			if ( ml->sml_bvalues ) {
 				print_vals( fp, &ml->sml_desc->ad_cname, ml->sml_bvalues );
 			}
@@ -336,52 +365,68 @@ replog1(
 		break;
 
 	case LDAP_REQ_ADD:
-		fprintf( fp, "changetype: add\n" );
-		a = first ? first : op->ora_e->e_attrs;
-		for ( ; a != NULL; a=a->a_next ) {
+		for ( a = op->ora_e->e_attrs ; a != NULL; a=a->a_next ) {
 			if ( ri && ri->ri_attrs ) {
 				int is_in = ad_inlist( a->a_desc, ri->ri_attrs );
 				if ( ( !is_in && !ri->ri_exclude ) || ( is_in && ri->ri_exclude ) ) {
 					continue;
 				}
+
 				/* If the list includes objectClass names,
 				 * only include those classes in the
 				 * objectClass attribute
 				 */
-				if ( a->a_desc == slap_schema.si_ad_objectClass ) {
-					int ocs = 0;
-					AttributeName *an;
-					struct berval vals[2];
-					vals[1].bv_val = NULL;
-					vals[1].bv_len = 0;
-					for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
-						if ( an->an_oc ) {
-							int i;
-
-							for ( i=0; a->a_vals[i].bv_val; i++ ) {
+				if ( ocs && a->a_desc == slap_schema.si_ad_objectClass ) {
+					int i;
+
+					if ( ocs == -1 ) ocs = 0;
+
+					for ( i=0; a->a_vals[i].bv_val; i++ ) {
+						int match = 0;
+						for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
+							if ( an->an_oc ) {
+								ocs = 1;
+								match |= an->an_oc_exclude;
 								if ( a->a_vals[i].bv_len == an->an_name.bv_len
 									&& !strcasecmp(a->a_vals[i].bv_val,
 										an->an_name.bv_val ) ) {
-									ocs = 1;
-									vals[0] = an->an_name;
-									print_vals( fp, &a->a_desc->ad_cname, vals );
+									match = !an->an_oc_exclude;
 									break;
 								}
 							}
 						}
+						if ( !ocs ) break;
+
+						match ^= ri->ri_exclude;
+						if ( match ) {
+							if ( dohdr ) {
+								rephdr( ri, op, fp, now );
+								fprintf( fp, "changetype: add\n" );
+								dohdr = 0;
+							}
+							vals[0] = an->an_name;
+							print_vals( fp, &a->a_desc->ad_cname, vals );
+						}
 					}
 					if ( ocs ) continue;
 				}
 			}
+			if ( dohdr ) {
+				rephdr( ri, op, fp, now );
+				fprintf( fp, "changetype: add\n" );
+				dohdr = 0;
+			}
 			print_vals( fp, &a->a_desc->ad_cname, a->a_vals );
 		}
 		break;
 
 	case LDAP_REQ_DELETE:
+		rephdr( ri, op, fp, now );
 		fprintf( fp, "changetype: delete\n" );
 		break;
 
 	case LDAP_REQ_MODRDN:
+		rephdr( ri, op, fp, now );
 		fprintf( fp, "changetype: modrdn\n" );
 		fprintf( fp, "newrdn: %s\n", op->orr_newrdn.bv_val );
 		fprintf( fp, "deleteoldrdn: %d\n", op->orr_deleteoldrdn ? 1 : 0 );
diff --git a/servers/slapd/result.c b/servers/slapd/result.c
index 5285dbdd88..0a75e23024 100644
--- a/servers/slapd/result.c
+++ b/servers/slapd/result.c
@@ -297,7 +297,7 @@ send_ldap_response(
 {
 	BerElementBuffer berbuf;
 	BerElement	*ber = (BerElement *) &berbuf;
-	int		rc;
+	int		rc = LDAP_SUCCESS;
 	long	bytes;
 
 	if (op->o_callback) {
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 1c1e8d4f84..714c5b8778 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -269,7 +269,7 @@ is_dn:		bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 	{
 		Connection	c = *op->o_conn;
 		char		buf[ SLAP_LDAPDN_MAXLEN ];
-		struct berval	id = { uri->bv_len, (char *)buf },
+		struct berval	id,
 				user = { 0, NULL },
 				realm = { 0, NULL },
 				mech = { 0, NULL };
@@ -278,6 +278,8 @@ is_dn:		bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 			return LDAP_INVALID_SYNTAX;
 		}
 
+		id.bv_len = uri->bv_len;
+		id.bv_val = buf;
 		strncpy( buf, uri->bv_val, sizeof( buf ) );
 
 		rc = slap_parse_user( &id, &user, &realm, &mech );
@@ -646,7 +648,10 @@ exact_match:
 			goto exact_match;
 
 		} else if ( d > 0 ) {
-			struct berval bv = { op.o_req_ndn.bv_len, assertDN->bv_val + d };
+			struct berval bv;
+
+			bv.bv_len = op.o_req_ndn.bv_len;
+			bv.bv_val = assertDN->bv_val + d;
 
 			if ( bv.bv_val[ -1 ] == ',' && dn_match( &op.o_req_ndn, &bv ) ) {
 				rc = LDAP_SUCCESS;
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 8369a43204..8a70eaefbb 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -97,7 +97,7 @@ sequenceValidate(
 static int certificateValidate( Syntax *syntax, struct berval *in )
 {
 	X509 *xcert=NULL;
-	unsigned char *p = in->bv_val;
+	unsigned char *p = (unsigned char *)in->bv_val;
  
 	xcert = d2i_X509(NULL, &p, in->bv_len);
 	if ( !xcert ) return LDAP_INVALID_SYNTAX;
@@ -167,7 +167,7 @@ int octetStringIndexer(
 	HASH_CONTEXT HASHcontext;
 	unsigned char HASHdigest[HASH_BYTES];
 	struct berval digest;
-	digest.bv_val = HASHdigest;
+	digest.bv_val = (char *)HASHdigest;
 	digest.bv_len = sizeof(HASHdigest);
 
 	for( i=0; values[i].bv_val != NULL; i++ ) {
@@ -186,14 +186,15 @@ int octetStringIndexer(
 		HASH_Init( &HASHcontext );
 		if( prefix != NULL && prefix->bv_len > 0 ) {
 			HASH_Update( &HASHcontext,
-				prefix->bv_val, prefix->bv_len );
+				(unsigned char *)prefix->bv_val,
+				prefix->bv_len );
 		}
 		HASH_Update( &HASHcontext,
-			syntax->ssyn_oid, slen );
+			(unsigned char *)syntax->ssyn_oid, slen );
 		HASH_Update( &HASHcontext,
-			mr->smr_oid, mlen );
+			(unsigned char *)mr->smr_oid, mlen );
 		HASH_Update( &HASHcontext,
-			values[i].bv_val, values[i].bv_len );
+			(unsigned char *)values[i].bv_val, values[i].bv_len );
 		HASH_Final( HASHdigest, &HASHcontext );
 
 		ber_dupbv_x( &keys[i], &digest, ctx );
@@ -224,7 +225,7 @@ int octetStringFilter(
 	unsigned char HASHdigest[HASH_BYTES];
 	struct berval *value = (struct berval *) assertedValue;
 	struct berval digest;
-	digest.bv_val = HASHdigest;
+	digest.bv_val = (char *)HASHdigest;
 	digest.bv_len = sizeof(HASHdigest);
 
 	slen = syntax->ssyn_oidlen;
@@ -235,14 +236,14 @@ int octetStringFilter(
 	HASH_Init( &HASHcontext );
 	if( prefix != NULL && prefix->bv_len > 0 ) {
 		HASH_Update( &HASHcontext,
-			prefix->bv_val, prefix->bv_len );
+			(unsigned char *)prefix->bv_val, prefix->bv_len );
 	}
 	HASH_Update( &HASHcontext,
-		syntax->ssyn_oid, slen );
+		(unsigned char *)syntax->ssyn_oid, slen );
 	HASH_Update( &HASHcontext,
-		mr->smr_oid, mlen );
+		(unsigned char *)mr->smr_oid, mlen );
 	HASH_Update( &HASHcontext,
-		value->bv_val, value->bv_len );
+		(unsigned char *)value->bv_val, value->bv_len );
 	HASH_Final( HASHdigest, &HASHcontext );
 
 	ber_dupbv_x( keys, &digest, ctx );
@@ -397,7 +398,7 @@ octetStringSubstringsIndexer(
 	HASH_CONTEXT HASHcontext;
 	unsigned char HASHdigest[HASH_BYTES];
 	struct berval digest;
-	digest.bv_val = HASHdigest;
+	digest.bv_val = (char *)HASHdigest;
 	digest.bv_len = sizeof(HASHdigest);
 
 	nkeys=0;
@@ -460,17 +461,17 @@ octetStringSubstringsIndexer(
 				HASH_Init( &HASHcontext );
 				if( prefix != NULL && prefix->bv_len > 0 ) {
 					HASH_Update( &HASHcontext,
-						prefix->bv_val, prefix->bv_len );
+						(unsigned char *)prefix->bv_val, prefix->bv_len );
 				}
 
 				HASH_Update( &HASHcontext,
-					&pre, sizeof( pre ) );
+					(unsigned char *)&pre, sizeof( pre ) );
 				HASH_Update( &HASHcontext,
-					syntax->ssyn_oid, slen );
+					(unsigned char *)syntax->ssyn_oid, slen );
 				HASH_Update( &HASHcontext,
-					mr->smr_oid, mlen );
+					(unsigned char *)mr->smr_oid, mlen );
 				HASH_Update( &HASHcontext,
-					&values[i].bv_val[j],
+					(unsigned char *)&values[i].bv_val[j],
 					SLAP_INDEX_SUBSTR_MAXLEN );
 				HASH_Final( HASHdigest, &HASHcontext );
 
@@ -489,16 +490,16 @@ octetStringSubstringsIndexer(
 				HASH_Init( &HASHcontext );
 				if( prefix != NULL && prefix->bv_len > 0 ) {
 					HASH_Update( &HASHcontext,
-						prefix->bv_val, prefix->bv_len );
+						(unsigned char *)prefix->bv_val, prefix->bv_len );
 				}
 				HASH_Update( &HASHcontext,
-					&pre, sizeof( pre ) );
+					(unsigned char *)&pre, sizeof( pre ) );
 				HASH_Update( &HASHcontext,
-					syntax->ssyn_oid, slen );
+					(unsigned char *)syntax->ssyn_oid, slen );
 				HASH_Update( &HASHcontext,
-					mr->smr_oid, mlen );
+					(unsigned char *)mr->smr_oid, mlen );
 				HASH_Update( &HASHcontext,
-					values[i].bv_val, j );
+					(unsigned char *)values[i].bv_val, j );
 				HASH_Final( HASHdigest, &HASHcontext );
 
 				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
@@ -509,16 +510,16 @@ octetStringSubstringsIndexer(
 				HASH_Init( &HASHcontext );
 				if( prefix != NULL && prefix->bv_len > 0 ) {
 					HASH_Update( &HASHcontext,
-						prefix->bv_val, prefix->bv_len );
+						(unsigned char *)prefix->bv_val, prefix->bv_len );
 				}
 				HASH_Update( &HASHcontext,
-					&pre, sizeof( pre ) );
+					(unsigned char *)&pre, sizeof( pre ) );
 				HASH_Update( &HASHcontext,
-					syntax->ssyn_oid, slen );
+					(unsigned char *)syntax->ssyn_oid, slen );
 				HASH_Update( &HASHcontext,
-					mr->smr_oid, mlen );
+					(unsigned char *)mr->smr_oid, mlen );
 				HASH_Update( &HASHcontext,
-					&values[i].bv_val[values[i].bv_len-j], j );
+					(unsigned char *)&values[i].bv_val[values[i].bv_len-j], j );
 				HASH_Final( HASHdigest, &HASHcontext );
 
 				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
@@ -590,7 +591,7 @@ octetStringSubstringsFilter (
 		return LDAP_SUCCESS;
 	}
 
-	digest.bv_val = HASHdigest;
+	digest.bv_val = (char *)HASHdigest;
 	digest.bv_len = sizeof(HASHdigest);
 
 	slen = syntax->ssyn_oidlen;
@@ -611,16 +612,16 @@ octetStringSubstringsFilter (
 		HASH_Init( &HASHcontext );
 		if( prefix != NULL && prefix->bv_len > 0 ) {
 			HASH_Update( &HASHcontext,
-				prefix->bv_val, prefix->bv_len );
+				(unsigned char *)prefix->bv_val, prefix->bv_len );
 		}
 		HASH_Update( &HASHcontext,
-			&pre, sizeof( pre ) );
+			(unsigned char *)&pre, sizeof( pre ) );
 		HASH_Update( &HASHcontext,
-			syntax->ssyn_oid, slen );
+			(unsigned char *)syntax->ssyn_oid, slen );
 		HASH_Update( &HASHcontext,
-			mr->smr_oid, mlen );
+			(unsigned char *)mr->smr_oid, mlen );
 		HASH_Update( &HASHcontext,
-			value->bv_val, klen );
+			(unsigned char *)value->bv_val, klen );
 		HASH_Final( HASHdigest, &HASHcontext );
 
 		ber_dupbv_x( &keys[nkeys++], &digest, ctx );
@@ -645,16 +646,16 @@ octetStringSubstringsFilter (
 				HASH_Init( &HASHcontext );
 				if( prefix != NULL && prefix->bv_len > 0 ) {
 					HASH_Update( &HASHcontext,
-						prefix->bv_val, prefix->bv_len );
+						(unsigned char *)prefix->bv_val, prefix->bv_len );
 				}
 				HASH_Update( &HASHcontext,
-					&pre, sizeof( pre ) );
+					(unsigned char *)&pre, sizeof( pre ) );
 				HASH_Update( &HASHcontext,
-					syntax->ssyn_oid, slen );
+					(unsigned char *)syntax->ssyn_oid, slen );
 				HASH_Update( &HASHcontext,
-					mr->smr_oid, mlen );
+					(unsigned char *)mr->smr_oid, mlen );
 				HASH_Update( &HASHcontext,
-					&value->bv_val[j], klen ); 
+					(unsigned char *)&value->bv_val[j], klen ); 
 				HASH_Final( HASHdigest, &HASHcontext );
 
 				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
@@ -674,16 +675,16 @@ octetStringSubstringsFilter (
 		HASH_Init( &HASHcontext );
 		if( prefix != NULL && prefix->bv_len > 0 ) {
 			HASH_Update( &HASHcontext,
-				prefix->bv_val, prefix->bv_len );
+				(unsigned char *)prefix->bv_val, prefix->bv_len );
 		}
 		HASH_Update( &HASHcontext,
-			&pre, sizeof( pre ) );
+			(unsigned char *)&pre, sizeof( pre ) );
 		HASH_Update( &HASHcontext,
-			syntax->ssyn_oid, slen );
+			(unsigned char *)syntax->ssyn_oid, slen );
 		HASH_Update( &HASHcontext,
-			mr->smr_oid, mlen );
+			(unsigned char *)mr->smr_oid, mlen );
 		HASH_Update( &HASHcontext,
-			&value->bv_val[value->bv_len-klen], klen );
+			(unsigned char *)&value->bv_val[value->bv_len-klen], klen );
 		HASH_Final( HASHdigest, &HASHcontext );
 
 		ber_dupbv_x( &keys[nkeys++], &digest, ctx );
@@ -1116,7 +1117,7 @@ UTF8StringValidate(
 {
 	ber_len_t count;
 	int len;
-	unsigned char *u = in->bv_val;
+	unsigned char *u = (unsigned char *)in->bv_val;
 
 	if( in->bv_len == 0 && syntax == slap_schema.si_syn_directoryString ) {
 		/* directory strings cannot be empty */
@@ -1158,7 +1159,7 @@ UTF8StringValidate(
 
 		/* make sure len corresponds with the offset
 			to the next character */
-		if( LDAP_UTF8_OFFSET( u ) != len ) return LDAP_INVALID_SYNTAX;
+		if( LDAP_UTF8_OFFSET( (char *)u ) != len ) return LDAP_INVALID_SYNTAX;
 	}
 
 	if( count != 0 ) {
@@ -1819,7 +1820,7 @@ UUIDNormalize(
 	struct berval *normalized,
 	void *ctx )
 {
-	unsigned char octet;
+	unsigned char octet = '\0';
 	int i;
 	int j;
 	normalized->bv_len = 16;
@@ -2222,7 +2223,7 @@ certificateExactNormalize(
 
 	assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) );
 
-	p = val->bv_val;
+	p = (unsigned char *)val->bv_val;
 	xcert = d2i_X509( NULL, &p, val->bv_len);
 	if( xcert == NULL ) goto done;
 
@@ -2238,7 +2239,8 @@ certificateExactNormalize(
 	if( rc != LDAP_SUCCESS ) goto done;
 
 	normalized->bv_len = seriallen + issuer_dn.bv_len + 1;
-	p = normalized->bv_val = ch_malloc(normalized->bv_len+1);
+	normalized->bv_val = ch_malloc(normalized->bv_len+1);
+	p = (unsigned char *)normalized->bv_val;
 	AC_MEMCPY(p, serial, seriallen);
 	p += seriallen;
 	*p++ = '$';
diff --git a/servers/slapd/search.c b/servers/slapd/search.c
index 87e2920aba..6f2d046c51 100644
--- a/servers/slapd/search.c
+++ b/servers/slapd/search.c
@@ -71,7 +71,7 @@ do_search(
 	 *		scope		ENUMERATED {
 	 *			baseObject	(0),
 	 *			singleLevel	(1),
-	 *			wholeSubtree	(2)
+	 *			wholeSubtree (2)
 	 *		},
 	 *		derefAliases	ENUMERATED {
 	 *			neverDerefaliases	(0),
@@ -178,6 +178,7 @@ do_search(
 		const char *dummy;	/* ignore msgs from bv2ad */
 		op->ors_attrs[i].an_desc = NULL;
 		op->ors_attrs[i].an_oc = NULL;
+		op->ors_attrs[i].an_oc_exclude = 0;
 		slap_bv2ad(&op->ors_attrs[i].an_name, &op->ors_attrs[i].an_desc, &dummy);
 	}
 
@@ -355,7 +356,8 @@ do_search(
 		be_manageDSAit = manageDSAit;
 	}
 
-	if ( (op->o_bd = select_backend( &op->o_req_ndn, be_manageDSAit, 1 )) == NULL ) {
+	op->o_bd = select_backend( &op->o_req_ndn, be_manageDSAit, 1 );
+	if ( op->o_bd == NULL ) {
 		rs->sr_ref = referral_rewrite( default_referral,
 			NULL, &op->o_req_dn, op->ors_scope );
 
diff --git a/servers/slapd/sessionlog.c b/servers/slapd/sessionlog.c
index edcd5f9f49..9cc3a45a65 100644
--- a/servers/slapd/sessionlog.c
+++ b/servers/slapd/sessionlog.c
@@ -45,6 +45,7 @@ slap_send_session_log(
 
 	uuid_attr[0].an_desc = NULL;
 	uuid_attr[0].an_oc = NULL;
+	uuid_attr[0].an_oc_exclude = 0;
 	uuid_attr[0].an_name.bv_len = 0;
 	uuid_attr[0].an_name.bv_val = NULL;
 	e.e_attrs = NULL;
@@ -93,6 +94,7 @@ slap_send_session_log(
 			rs->sr_ctrls = NULL;
 		}
 	}
+	return LDAP_SUCCESS;
 }
 
 int
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 48415e9322..27b064d7c0 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -720,6 +720,7 @@ typedef struct slap_attr_desc {
 typedef struct slap_attr_name {
 	struct berval an_name;
 	AttributeDescription *an_desc;
+	int an_oc_exclude;
 	ObjectClass *an_oc;
 } AttributeName;
 
@@ -870,9 +871,9 @@ typedef struct slap_mr_assertion {
  */
 typedef struct slap_filter {
 	ber_tag_t	f_choice;	/* values taken from ldap.h, plus: */
-#define SLAPD_FILTER_COMPUTED	((ber_tag_t) -1)
-#define SLAPD_FILTER_DN_ONE		((ber_tag_t) -2)
-#define SLAPD_FILTER_DN_SUBTREE	((ber_tag_t) -3)
+#define SLAPD_FILTER_COMPUTED		((ber_tag_t) -1)
+#define SLAPD_FILTER_DN_ONE			((ber_tag_t) -2)
+#define SLAPD_FILTER_DN_SUBTREE		((ber_tag_t) -3)
 
 	union f_un_u {
 		/* precomputed result */
@@ -1280,15 +1281,15 @@ struct slap_limits_set {
 struct slap_limits {
 	int     lm_type;	/* type of pattern */
 #define SLAP_LIMITS_UNDEFINED	0x0000
-#define SLAP_LIMITS_EXACT	0x0001
-#define SLAP_LIMITS_BASE	SLAP_LIMITS_EXACT
-#define SLAP_LIMITS_ONE		0x0002
-#define SLAP_LIMITS_SUBTREE	0x0003
+#define SLAP_LIMITS_EXACT		0x0001
+#define SLAP_LIMITS_BASE		SLAP_LIMITS_EXACT
+#define SLAP_LIMITS_ONE			0x0002
+#define SLAP_LIMITS_SUBTREE		0x0003
 #define SLAP_LIMITS_CHILDREN	0x0004
-#define SLAP_LIMITS_REGEX	0x0005
+#define SLAP_LIMITS_REGEX		0x0005
 #define SLAP_LIMITS_ANONYMOUS	0x0006
-#define SLAP_LIMITS_USERS	0x0007
-#define SLAP_LIMITS_ANY		0x0008
+#define SLAP_LIMITS_USERS		0x0007
+#define SLAP_LIMITS_ANY			0x0008
 	regex_t	lm_dn_regex;		/* regex data for REGEX */
 
 	/*
diff --git a/servers/slapd/slapi/TODO b/servers/slapd/slapi/TODO
index 546a6312f2..ea50430773 100644
--- a/servers/slapd/slapi/TODO
+++ b/servers/slapd/slapi/TODO
@@ -1,3 +1,4 @@
+- de-IBM SLAPI
 - add a config statement, or redefine the dynamic backend one,
   "modulepath", to set/modify the load path also for plugins
   (both plugins and modules use ltdl, so "modulepath" suffices ...)
@@ -6,9 +7,6 @@
 - use syslog where available?
 - add some plugin monitoring stuff in back-monitor (e.g. a subentry
   for each plugin with data from struct Slapi_PluginDesc)
-
-
-
 - This is a very tough task: try to implement a sandbox to execute
   plugins in, trap deadly signals and possibly disable unsafe plugins
   without crashing slapd (fork from inside thread? trap signals
diff --git a/servers/slapd/slapi/slapi_ops.c b/servers/slapd/slapi/slapi_ops.c
index 1e97caf751..3e42bb727c 100644
--- a/servers/slapd/slapi/slapi_ops.c
+++ b/servers/slapd/slapi/slapi_ops.c
@@ -1144,6 +1144,7 @@ slapi_search_internal(
 		for (i = 0; attrs[i] != 0; i++) {
 			an[i].an_desc = NULL;
 			an[i].an_oc = NULL;
+			an[i].an_oc_exclude = 0;
 			an[i].an_name.bv_val = slapi_ch_strdup(attrs[i]);
 			an[i].an_name.bv_len = strlen(attrs[i]);
 			slap_bv2ad( &an[i].an_name, &an[i].an_desc, &text );
-- 
2.39.5