Merge in recent changes to HEAD

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 62f7dad9fb9f6dae05388efc5e1b24a4a5a7d053..01688dcb8d635096c58fff5d4587de19c62baebe 100644 (file)
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -539,6 +539,7 @@ parse_acl(
                        {
                                free( a->acl_dn_pat.bv_val );
                                BER_BVZERO( &a->acl_dn_pat );
+                               a->acl_dn_style = ACL_STYLE_REGEX;
                        }
                        
                        if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||

diff --git a/servers/slapd/add.c b/servers/slapd/add.c
index ada140c384376dfa99773559e47136840404144a..39480b5c932bc3e1547531581a98860ab86b7e8e 100644 (file)
--- a/servers/slapd/add.c
+++ b/servers/slapd/add.c
@@ -214,6 +214,8 @@ fe_op_add( Operation *op, SlapReply *rs )
        Modifications   **modtail = &modlist;
        int             rc = 0;
        BackendDB *op_be;
+       char            textbuf[ SLAP_TEXT_BUFLEN ];
+       size_t          textlen = sizeof( textbuf );
 
        manageDSAit = get_manageDSAit( op );
 
@@ -262,6 +264,14 @@ fe_op_add( Operation *op, SlapReply *rs )
                goto done;
        }
 
+       rs->sr_err = slap_mods_obsolete_check( op, modlist,
+               &rs->sr_text, textbuf, textlen );
+
+       if ( rs->sr_err != LDAP_SUCCESS ) {
+               send_ldap_result( op, rs );
+               goto done;
+       }
+
 #ifdef LDAP_SLAPI
        if ( op->o_pb ) init_add_pblock( op, &op->o_req_dn, op->ora_e, manageDSAit );
 #endif /* LDAP_SLAPI */
@@ -280,16 +290,13 @@ fe_op_add( Operation *op, SlapReply *rs )
 #endif
                {
                        int             update = !BER_BVISEMPTY( &op->o_bd->be_update_ndn );
-                       char            textbuf[ SLAP_TEXT_BUFLEN ];
-                       size_t          textlen = sizeof( textbuf );
                        slap_callback   cb = { NULL, slap_replog_cb, NULL, NULL };
 
                        op->o_bd = op_be;
 
                        if ( !update ) {
-                               rs->sr_err = slap_mods_no_update_check( modlist,
-                                               &rs->sr_text,
-                                               textbuf, textlen );
+                               rs->sr_err = slap_mods_no_user_mod_check( op, modlist,
+                                       &rs->sr_text, textbuf, textlen );
 
                                if ( rs->sr_err != LDAP_SUCCESS ) {
                                        send_ldap_result( op, rs );

diff --git a/servers/slapd/attr.c b/servers/slapd/attr.c
index cdfb3a2fe57eb6a11668fe312d7d7b539c8d0265..63973e03cfa53ec2271214579cb3558f4eec0f52 100644 (file)
--- a/servers/slapd/attr.c
+++ b/servers/slapd/attr.c
@@ -46,6 +46,10 @@ attr_free( Attribute *a )
        if ( a->a_nvals && a->a_nvals != a->a_vals ) {
                ber_bvarray_free( a->a_nvals );
        }
+       /* a_vals may be equal to slap_dummy_bv, a static empty berval;
+        * this is used as a placeholder for attributes that do not carry
+        * values, e.g. when proxying search entries with the "attrsonly"
+        * bit set. */
        if ( a->a_vals != &slap_dummy_bv ) {
                ber_bvarray_free( a->a_vals );
        }

diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c
index 7db122d5bf4e25e72b60bf8ada3e431ce232f040..4ef340e92b82156c1dd319b8f307efd88359fae5 100644 (file)
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@@ -52,8 +52,8 @@ bdb_add(Operation *op, SlapReply *rs )
        ctrls[num_ctrls] = 0;
 
        /* check entry's schema */
-       rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e,
-               NULL, &rs->sr_text, textbuf, textlen );
+       rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL,
+               get_manageDIT(op), &rs->sr_text, textbuf, textlen );
        if ( rs->sr_err != LDAP_SUCCESS ) {
                Debug( LDAP_DEBUG_TRACE,
                        LDAP_XSTRING(bdb_add) ": entry failed schema check: "
@@ -191,8 +191,8 @@ retry:      /* transaction retry */
                        }
 
                        Debug( LDAP_DEBUG_TRACE,
-                               LDAP_XSTRING(bdb_add) ": no write access "
-                               "to parent\n", 0, 0, 0 );
+                               LDAP_XSTRING(bdb_add) ": no write access to parent\n",
+                               0, 0, 0 );
                        rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                        rs->sr_text = "no write access to parent";
                        goto return_results;;

diff --git a/servers/slapd/back-bdb/modify.c b/servers/slapd/back-bdb/modify.c
index 1f8af04ce46746ed0b7a4c659e990a01ea89211a..7e85e8b322d9954fe9adf47adb9c47e562c97d41 100644 (file)
--- a/servers/slapd/back-bdb/modify.c
+++ b/servers/slapd/back-bdb/modify.c
@@ -196,7 +196,8 @@ int bdb_modify_internal(
        }
 
        /* check that the entry still obeys the schema */
-       rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen );
+       rc = entry_schema_check( op->o_bd, e, save_attrs, get_manageDIT(op),
+               text, textbuf, textlen );
        if ( rc != LDAP_SUCCESS || op->o_noop ) {
                attrs_free( e->e_attrs );
                /* clear the indexing flags */

diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h
index beb560c3e610a77760e7a72b8a52929c132c31f2..79b5d8e8e58383429dc844b463a984b6bbb4c82e 100644 (file)
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@@ -45,7 +45,7 @@ struct ldapconn {
  * identity assertion modes
  */
 enum {
-       LDAP_BACK_IDASSERT_LEGACY,
+       LDAP_BACK_IDASSERT_LEGACY = 1,
        LDAP_BACK_IDASSERT_NOASSERT,
        LDAP_BACK_IDASSERT_ANONYMOUS,
        LDAP_BACK_IDASSERT_SELF,
@@ -57,26 +57,28 @@ struct ldapinfo {
        char            *url;
        LDAPURLDesc     *lud;
 
-       slap_bindconf   acl_la;
-#define        acl_authcID     acl_la.sb_authcId
-#define        acl_authcDN     acl_la.sb_binddn
-#define        acl_passwd      acl_la.sb_cred
-#define        acl_authzID     acl_la.sb_authzId
-#define        acl_authmethod  acl_la.sb_method
-#define        acl_sasl_mech   acl_la.sb_saslmech
-#define        acl_sasl_realm  acl_la.sb_realm
+       slap_bindconf   acl_sb;
+#define        acl_authcID     acl_sb.sb_authcId
+#define        acl_authcDN     acl_sb.sb_binddn
+#define        acl_passwd      acl_sb.sb_cred
+#define        acl_authzID     acl_sb.sb_authzId
+#define        acl_authmethod  acl_sb.sb_method
+#define        acl_sasl_mech   acl_sb.sb_saslmech
+#define        acl_sasl_realm  acl_sb.sb_realm
+#define        acl_secprops    acl_sb.sb_secprops
 
        /* ID assert stuff */
        int             idassert_mode;
 
-       slap_bindconf   idassert_la;
-#define        idassert_authcID        idassert_la.sb_authcId
-#define        idassert_authcDN        idassert_la.sb_binddn
-#define        idassert_passwd         idassert_la.sb_cred
-#define        idassert_authzID        idassert_la.sb_authzId
-#define        idassert_authmethod     idassert_la.sb_method
-#define        idassert_sasl_mech      idassert_la.sb_saslmech
-#define        idassert_sasl_realm     idassert_la.sb_realm
+       slap_bindconf   idassert_sb;
+#define        idassert_authcID        idassert_sb.sb_authcId
+#define        idassert_authcDN        idassert_sb.sb_binddn
+#define        idassert_passwd         idassert_sb.sb_cred
+#define        idassert_authzID        idassert_sb.sb_authzId
+#define        idassert_authmethod     idassert_sb.sb_method
+#define        idassert_sasl_mech      idassert_sb.sb_saslmech
+#define        idassert_sasl_realm     idassert_sb.sb_realm
+#define        idassert_secprops       idassert_sb.sb_secprops
 
        unsigned        idassert_flags;
 #define LDAP_BACK_AUTH_NONE            0x00U
@@ -93,11 +95,15 @@ struct ldapinfo {
 #define LDAP_BACK_F_USE_TLS            0x02U
 #define LDAP_BACK_F_PROPAGATE_TLS      0x04U
 #define LDAP_BACK_F_TLS_CRITICAL       0x08U
-#define LDAP_BACK_F_TLS_MASK           (LDAP_BACK_F_USE_TLS|LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
+#define LDAP_BACK_F_TLS_USE_MASK       (LDAP_BACK_F_USE_TLS|LDAP_BACK_F_TLS_CRITICAL)
+#define LDAP_BACK_F_TLS_PROPAGATE_MASK (LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
+#define LDAP_BACK_F_TLS_MASK           (LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK)
 #define LDAP_BACK_F_CHASE_REFERRALS    0x10U
+#define LDAP_BACK_F_PROXY_WHOAMI       0x20U
 
 #define        LDAP_BACK_F_SUPPORT_T_F                 0x80U
 #define        LDAP_BACK_F_SUPPORT_T_F_DISCOVER        0x40U
+#define        LDAP_BACK_F_SUPPORT_T_F_MASK            (LDAP_BACK_F_SUPPORT_T_F|LDAP_BACK_F_SUPPORT_T_F_DISCOVER)
 
 #define LDAP_BACK_SAVECRED(li)         ( (li)->flags & LDAP_BACK_F_SAVECRED )
 #define LDAP_BACK_USE_TLS(li)          ( (li)->flags & LDAP_BACK_F_USE_TLS )

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index e53e7b5b3f3b40e37b44d8bcbb0baa66618ab727..ce991e476c96b8e84ebf505a1efe4d04827f0a13 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -510,14 +510,15 @@ ldap_back_dobind_int(
                if ( lc->lc_ispriv && li->acl_authmethod == LDAP_AUTH_SASL ) {
                        void            *defaults = NULL;
 
-#if 0  /* will deal with this later... */
-                       if ( sasl_secprops != NULL ) {
-                               rs->sr_err = ldap_set_option( lc->lc_ld, LDAP_OPT_X_SASL_SECPROPS,
-                                       (void *) sasl_secprops );
-
-                               if ( rs->sr_err != LDAP_OPT_SUCCESS ) {
-                                       send_ldap_result( op, rs );
-                                       lc->lc_bound = 0;
+#if 1  /* will deal with this later... */
+                       if ( li->acl_secprops != NULL ) {
+                               rc = ldap_set_option( lc->lc_ld,
+                                       LDAP_OPT_X_SASL_SECPROPS, li->acl_secprops);
+
+                               if( rc != LDAP_OPT_SUCCESS ) {
+                                       Debug( LDAP_DEBUG_ANY, "Error: ldap_set_option "
+                                               "(%s,SECPROPS,\"%s\") failed!\n",
+                                               li->url, li->acl_secprops, 0 );
                                        goto done;
                                }
                        }

diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c
index 573ab84ebeb0be6a9caef20376c4acdb4e85d217..05593fa5cbc4524a536aca6d1a8ea0347e96cc59 100644 (file)
--- a/servers/slapd/back-ldap/chain.c
+++ b/servers/slapd/back-ldap/chain.c
@@ -29,6 +29,8 @@
 #include "slap.h"
 #include "back-ldap.h"
 
+#include "config.h"
+
 #ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
 #define SLAP_CHAINING_DEFAULT                          LDAP_CHAINING_PREFERRED
 #define SLAP_CH_RESOLVE_SHIFT                          SLAP_CONTROL_SHIFT
@@ -673,20 +675,277 @@ str2chain( const char *s )
 }
 #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
 
+enum {
+       PC_CHAINING = 1
+};
+
+static ConfigDriver chain_cf_gen;
+static ConfigLDAPadd chain_ldadd;
+static ConfigCfAdd chain_cfadd;
+
+static ConfigTable chaincfg[] = {
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+       { "chain-chaining", "args",
+               2, 4, 0, ARG_MAGIC|ARG_BERVAL|PC_CHAINING, chain_cf_gen,
+               "( OLcfgOvAt:3.1 NAME 'olcChainingBehavior' "
+                       "DESC 'Chaining behavior control parameters (draft-sermersheim-ldap-chaining)' "
+                       "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+       { NULL, NULL, 0, 0, 0, ARG_IGNORED }
+};
+
+static ConfigOCs chainocs[] = {
+       { "( OLcfgOvOc:3.1 "
+               "NAME 'olcChainConfig' "
+               "DESC 'Chain configuration' "
+               "SUP olcOverlayConfig "
+               "MAY olcChainingBehavior )", Cft_Overlay, chaincfg, NULL, chain_cfadd },
+       { "( OLcfgOvOc:3.2 "
+               "NAME 'olcChainDatabase' "
+               "DESC 'Chain remote server configuration' "
+               "AUXILIARY )", Cft_Misc, chaincfg, chain_ldadd },
+       { NULL, 0, NULL }
+};
+
+static int
+chain_ldadd( CfEntryInfo *p, Entry *e, ConfigArgs *ca )
+{
+       if ( p->ce_type != Cft_Overlay || !p->ce_bi ||
+               p->ce_bi->bi_cf_ocs != chainocs )
+               return LDAP_CONSTRAINT_VIOLATION;
+
+       return LDAP_SUCCESS;
+}
+
+static int
+chain_cfadd( Operation *op, SlapReply *rs, Entry *p, ConfigArgs *ca )
+{
+       CfEntryInfo     *pe = p->e_private;
+       slap_overinst   *on = (slap_overinst *)pe->ce_bi;
+       ldap_chain_t    *lc = (ldap_chain_t *)on->on_bi.bi_private;
+       void            *priv = (void *)ca->be->be_private;
+       struct berval   bv;
+
+       /* FIXME: should not hardcode "olcDatabase" here */
+       bv.bv_len = sprintf( ca->msg, "olcDatabase=%s", lback->bi_type );
+       bv.bv_val = ca->msg;
+
+       /* We can only create this entry if the database is table-driven */
+       if ( lback->bi_cf_ocs ) {
+               ca->be->be_private = (void *)lc->lc_li;
+               config_build_entry( op, rs, pe, ca, &bv, lback->bi_cf_ocs, &chainocs[1] );
+               ca->be->be_private = priv;
+       }
+
+       return 0;
+}
+
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+static slap_verbmasks chaining_mode[] = {
+       { BER_BVC("referralsRequired"),         LDAP_REFERRALS_REQUIRED },
+       { BER_BVC("referralsPreferred"),        LDAP_REFERRALS_PREFERRED },
+       { BER_BVC("chainingRequired"),          LDAP_CHAINING_REQUIRED },
+       { BER_BVC("chainingPreferred"),         LDAP_CHAINING_PREFERRED },
+       { BER_BVNULL,                           0 }
+};
+#endif
+
+static int
+chain_cf_gen( ConfigArgs *c )
+{
+       slap_overinst   *on = (slap_overinst *)c->bi;
+       ldap_chain_t    *lc = (ldap_chain_t *)on->on_bi.bi_private;
+
+       int             rc = 0;
+
+       if ( c->op == SLAP_CONFIG_EMIT ) {
+               switch( c->type ) {
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+               case PC_CHAINING: {
+                       struct berval   resolve = BER_BVNULL,
+                                       continuation = BER_BVNULL;
+
+                       if ( !( lc->lc_flags & LDAP_CHAIN_F_CHAINING ) ) {
+                               return 1;
+                       }
+
+                       enum_to_verb( chaining_mode, ( ( lc->lc_chaining_ctrlflag & SLAP_CH_RESOLVE_MASK ) >> SLAP_CH_RESOLVE_SHIFT ), &resolve );
+                       enum_to_verb( chaining_mode, ( ( lc->lc_chaining_ctrlflag & SLAP_CH_CONTINUATION_MASK ) >> SLAP_CH_CONTINUATION_SHIFT ), &continuation );
+
+                       c->value_bv.bv_len = STRLENOF( "resolve=" ) + resolve.bv_len
+                               + STRLENOF( " " )
+                               + STRLENOF( "continuation=" ) + continuation.bv_len;
+                       c->value_bv.bv_val = ch_malloc( c->value_bv.bv_len + 1 );
+                       snprintf( c->value_bv.bv_val, c->value_bv.bv_len + 1,
+                               "resolve=%s continuation=%s",
+                               resolve.bv_val, continuation.bv_val );
+
+                       if ( lc->lc_chaining_ctrl.ldctl_iscritical ) {
+                               c->value_bv.bv_val = ch_realloc( c->value_bv.bv_val,
+                                       c->value_bv.bv_len + STRLENOF( " critical" ) + 1 );
+                               AC_MEMCPY( &c->value_bv.bv_val[ c->value_bv.bv_len ],
+                                       " critical", STRLENOF( " critical" ) + 1 );
+                               c->value_bv.bv_len += STRLENOF( " critical" );
+                       }
+
+                       break;
+               }
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+
+               default:
+                       assert( 0 );
+                       rc = 1;
+               }
+               return rc;
+
+       } else if ( c->op == LDAP_MOD_DELETE ) {
+               return 1;       /* FIXME */
+#if 0
+               switch( c->type ) {
+               case PC_ATTR:
+               case PC_TEMP:
+               }
+               return rc;
+#endif
+       }
+
+       switch( c->type ) {
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+       case PC_CHAINING: {
+               char                    **argv = c->argv;
+               int                     argc = c->argc;
+               BerElementBuffer        berbuf;
+               BerElement              *ber = (BerElement *)&berbuf;
+               int                     resolve = -1,
+                                       continuation = -1,
+                                       iscritical = 0;
+               Operation               op = { 0 };
+               SlapReply               rs = { 0 };
+
+               lc->lc_chaining_ctrlflag = 0;
+
+               for ( argc--, argv++; argc > 0; argc--, argv++ ) {
+                       if ( strncasecmp( argv[ 0 ], "resolve=", STRLENOF( "resolve=" ) ) == 0 ) {
+                               resolve = str2chain( argv[ 0 ] + STRLENOF( "resolve=" ) );
+                               if ( resolve == -1 ) {
+                                       fprintf( stderr, "%s line %d: "
+                                               "illegal <resolve> value %s "
+                                               "in \"chain-chaining>\"\n",
+                                               c->fname, c->lineno, argv[ 0 ] );
+                                       return 1;
+                               }
+
+                       } else if ( strncasecmp( argv[ 0 ], "continuation=", STRLENOF( "continuation=" ) ) == 0 ) {
+                               continuation = str2chain( argv[ 0 ] + STRLENOF( "continuation=" ) );
+                               if ( continuation == -1 ) {
+                                       fprintf( stderr, "%s line %d: "
+                                               "illegal <continuation> value %s "
+                                               "in \"chain-chaining\"\n",
+                                               c->fname, c->lineno, argv[ 0 ] );
+                                       return 1;
+                               }
+
+                       } else if ( strcasecmp( argv[ 0 ], "critical" ) == 0 ) {
+                               iscritical = 1;
+
+                       } else {
+                               fprintf( stderr, "%s line %d: "
+                                       "unknown option in \"chain-chaining\"\n",
+                                       c->fname, c->lineno );
+                               return 1;
+                       }
+               }
+
+               if ( resolve != -1 || continuation != -1 ) {
+                       int     err;
+
+                       if ( resolve == -1 ) {
+                               /* default */
+                               resolve = SLAP_CHAINING_DEFAULT;
+                       }
+
+                       ber_init2( ber, NULL, LBER_USE_DER );
+
+                       err = ber_printf( ber, "{e" /* } */, resolve );
+                       if ( err == -1 ) {
+                               ber_free( ber, 1 );
+                               fprintf( stderr, "%s line %d: "
+                                       "chaining behavior control encoding error!\n",
+                                       c->fname, c->lineno );
+                               return 1;
+                       }
+
+                       if ( continuation > -1 ) {
+                               err = ber_printf( ber, "e", continuation );
+                               if ( err == -1 ) {
+                                       ber_free( ber, 1 );
+                                       fprintf( stderr, "%s line %d: "
+                                               "chaining behavior control encoding error!\n",
+                                               c->fname, c->lineno );
+                                       return 1;
+                               }
+                       }
+
+                       err = ber_printf( ber, /* { */ "N}" );
+                       if ( err == -1 ) {
+                               ber_free( ber, 1 );
+                               fprintf( stderr, "%s line %d: "
+                                       "chaining behavior control encoding error!\n",
+                                       c->fname, c->lineno );
+                               return 1;
+                       }
+
+                       if ( ber_flatten2( ber, &lc->lc_chaining_ctrl.ldctl_value, 0 ) == -1 ) {
+                               exit( EXIT_FAILURE );
+                       }
+
+               } else {
+                       BER_BVZERO( &lc->lc_chaining_ctrl.ldctl_value );
+               }
+
+               lc->lc_chaining_ctrl.ldctl_oid = LDAP_CONTROL_X_CHAINING_BEHAVIOR;
+               lc->lc_chaining_ctrl.ldctl_iscritical = iscritical;
+
+               if ( ldap_chain_parse_ctrl( &op, &rs, &lc->lc_chaining_ctrl ) != LDAP_SUCCESS )
+               {
+                       fprintf( stderr, "%s line %d: "
+                               "unable to parse chaining control%s%s\n",
+                               c->fname, c->lineno,
+                               rs.sr_text ? ": " : "",
+                               rs.sr_text ? rs.sr_text : "" );
+                       return 1;
+               }
+
+               lc->lc_chaining_ctrlflag = op.o_chaining;
+
+               lc->lc_flags |= LDAP_CHAIN_F_CHAINING;
+
+               rc = 0;
+
+               break;
+       }
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+
+       default:
+               assert( 0 );
+               return 1;
+       }
+       return rc;
+}
+
 static int
 ldap_chain_db_config(
        BackendDB       *be,
        const char      *fname,
        int             lineno,
        int             argc,
-       char    **argv
-)
+       char            **argv )
 {
        slap_overinst   *on = (slap_overinst *) be->bd_info;
        ldap_chain_t    *lc = (ldap_chain_t *)on->on_bi.bi_private;
-       void            *private = be->be_private;
        char            *argv0 = NULL;
        int             rc;
+       BackendDB       db = *be;
 
        if ( strncasecmp( argv[ 0 ], "chain-", STRLENOF( "chain-" ) ) == 0 ) {
                argv0 = argv[ 0 ];
@@ -807,10 +1066,9 @@ ldap_chain_db_config(
 #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
        }
 
-
-       be->be_private = lc->lc_li;
-       rc = lback->bi_db_config( be, fname, lineno, argc, argv );
-       be->be_private = private;
+       db.be_cf_ocs = lback->bi_cf_ocs;
+       db.be_private = lc->lc_li;
+       rc = lback->bi_db_config( &db, fname, lineno, argc, argv );
 
 done:;
        if ( argv0 ) {
@@ -822,8 +1080,7 @@ done:;
 
 static int
 ldap_chain_db_init(
-       BackendDB *be
-)
+       BackendDB *be )
 {
        slap_overinst   *on = (slap_overinst *)be->bd_info;
        ldap_chain_t    *lc = NULL;
@@ -1033,9 +1290,9 @@ static slap_overinst ldapchain;
 int
 chain_init( void )
 {
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
        int     rc;
 
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
        rc = register_supported_control( LDAP_CONTROL_X_CHAINING_BEHAVIOR,
                        /* SLAP_CTRL_GLOBAL| */ SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE, NULL,
                        ldap_chain_parse_ctrl, &sc_chainingBehavior );
@@ -1066,6 +1323,13 @@ chain_init( void )
 
        ldapchain.on_response = ldap_chain_response;
 
+       ldapchain.on_bi.bi_cf_ocs = chainocs;
+
+       rc = config_register_schema( chaincfg, chainocs );
+       if ( rc ) {
+               return rc;
+       }
+
        return overlay_register( &ldapchain );
 }
 

diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index e570e3b0e4f922588c1d4277a10d12576e9c4652..d01b8a825e85fd21d6dfaa1905903be4aedea7ec 100644 (file)
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -26,17 +26,1098 @@
 #include <stdio.h>
 
 #include <ac/string.h>
+#include <ac/ctype.h>
 #include <ac/socket.h>
 
 #include "slap.h"
+#include "config.h"
 #include "back-ldap.h"
 #include "lutil.h"
+#include "ldif.h"
 #undef ldap_debug
 /* for advanced URL parsing */
 #include "../../../libraries/libldap/ldap-int.h"
 
 static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami;
 
+static ConfigDriver ldap_back_cf_gen;
+
+enum {
+       LDAP_BACK_CFG_URI = 1,
+       LDAP_BACK_CFG_TLS,
+       LDAP_BACK_CFG_ACL_AUTHCDN,
+       LDAP_BACK_CFG_ACL_PASSWD,
+       LDAP_BACK_CFG_ACL_METHOD,
+       LDAP_BACK_CFG_ACL_BIND,
+       LDAP_BACK_CFG_IDASSERT_MODE,
+       LDAP_BACK_CFG_IDASSERT_AUTHCDN,
+       LDAP_BACK_CFG_IDASSERT_PASSWD,
+       LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
+       LDAP_BACK_CFG_IDASSERT_METHOD,
+       LDAP_BACK_CFG_IDASSERT_BIND,
+       LDAP_BACK_CFG_REBIND,
+       LDAP_BACK_CFG_CHASE,
+       LDAP_BACK_CFG_T_F,
+       LDAP_BACK_CFG_WHOAMI,
+       LDAP_BACK_CFG_REWRITE
+};
+
+static ConfigTable ldapcfg[] = {
+       { "uri", "uri", 2, 2, 0,
+               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_URI,
+               ldap_back_cf_gen, "( OLcfgDbAt:0.14 "
+                       "NAME 'olcDbURI' "
+                       "DESC 'URI (list) for remote DSA' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       { "tls", "what", 2, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_TLS,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.1 "
+                       "NAME 'olcDbStartTLS' "
+                       "DESC 'StartTLS' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       { "acl-authcDN", "DN", 2, 2, 0,
+               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.2 "
+                       "NAME 'olcDbACLAuthcDn' "
+                       "DESC 'Remote ACL administrative identity' "
+                       "OBSOLETE "
+                       "SYNTAX OMsDN "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       /* deprecated; aliases "acl-authcDN" */
+       { "binddn", "DN", 2, 2, 0,
+               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { "acl-passwd", "cred", 2, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.3 "
+                       "NAME 'olcDbACLPasswd' "
+                       "DESC 'Remote ACL administrative identity credentials' "
+                       "OBSOLETE "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       /* deprecated; aliases "acl-passwd" */
+       { "bindpw", "cred", 2, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { "acl-bind", "args", 2, 0, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_ACL_BIND,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.4 "
+                       "NAME 'olcDbACLBind' "
+                       "DESC 'Remote ACL administrative identity auth bind configuration' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       /* deprecated; aliases "acl-bind" */
+       { "acl-method", "args", 2, 0, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_ACL_BIND,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { "idassert-authcDN", "DN", 2, 2, 0,
+               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.5 "
+                       "NAME 'olcDbIDAssertAuthcDn' "
+                       "DESC 'Remote Identity Assertion administrative identity' "
+                       "OBSOLETE "
+                       "SYNTAX OMsDN "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       /* deprecated; partially aliases "idassert-authcDN" */
+       { "proxyauthzdn", "DN", 2, 2, 0,
+               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { "idassert-passwd", "cred", 2, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.6 "
+                       "NAME 'olcDbIDAssertPasswd' "
+                       "DESC 'Remote Identity Assertion administrative identity credentials' "
+                       "OBSOLETE "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       /* deprecated; partially aliases "idassert-passwd" */
+       { "proxyauthzpw", "cred", 2, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { "idassert-bind", "args", 2, 0, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.7 "
+                       "NAME 'olcDbIDAssertBind' "
+                       "DESC 'Remote Identity Assertion administrative identity auth bind configuration' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       { "idassert-method", "args", 2, 0, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { "idassert-mode", "mode>|u:<user>|[dn:]<DN", 2, 0, 0,
+               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_MODE,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.8 "
+                       "NAME 'olcDbIDAssertMode' "
+                       "DESC 'Remote Identity Assertion mode' "
+                       "OBSOLETE "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE)",
+               NULL, NULL },
+       { "idassert-authzFrom", "authzRule", 2, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.9 "
+                       "NAME 'olcDbIDAssertAuthzFrom' "
+                       "DESC 'Remote Identity Assertion authz rules' "
+                       "SYNTAX OMsDirectoryString "
+                       "X-ORDERED 'VALUES' )",
+               NULL, NULL },
+       { "rebind-as-user", "NO|yes", 1, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_REBIND,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.10 "
+                       "NAME 'olcDbRebindAsUser' "
+                       "DESC 'Rebind as user' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       { "chase-referrals", "YES|no", 2, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_CHASE,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.11 "
+                       "NAME 'olcDbChaseReferrals' "
+                       "DESC 'Chase referrals' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       { "t-f-support", "NO|yes|discover", 2, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_T_F,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.12 "
+                       "NAME 'olcDbTFSupport' "
+                       "DESC 'Absolute filters support' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       { "proxy-whoami", "NO|yes", 1, 2, 0,
+               ARG_BERVAL|ARG_MAGIC|LDAP_BACK_CFG_WHOAMI,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.13 "
+                       "NAME 'olcDbProxyWhoAmI' "
+                       "DESC 'Proxy whoAmI exop' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       { "suffixmassage", "[virtual]> <real", 2, 3, 0,
+               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
+               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { "rewrite", "<arglist>", 2, 4, STRLENOF( "rewrite" ),
+               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
+               ldap_back_cf_gen, NULL, NULL, NULL },
+       { NULL, NULL, 0, 0, 0, ARG_IGNORED,
+               NULL, NULL, NULL, NULL }
+};
+
+static ConfigOCs ldapocs[] = {
+       { "( OLcfgDbOc:3.1 "
+               "NAME 'olcLDAPConfig' "
+               "DESC 'LDAP backend configuration' "
+               "SUP olcDatabaseConfig "
+               "MUST olcDbURI "
+               "MAY ( olcDbStartTLS "
+                       "$ olcDbACLAuthcDn "
+                       "$ olcDbACLPasswd "
+                       "$ olcDbACLBind "
+                       "$ olcDbIDAssertAuthcDn "
+                       "$ olcDbIDAssertPasswd "
+                       "$ olcDbIDAssertBind "
+                       "$ olcDbIDAssertMode "
+                       "$ olcDbIDAssertAuthzFrom "
+                       "$ olcDbRebindAsUser "
+                       "$ olcDbChaseReferrals "
+                       "$ olcDbTFSupport "
+                       "$ olcDbProxyWhoAmI "
+               ") )",
+                       Cft_Database, ldapcfg},
+       { NULL, 0, NULL }
+};
+
+#define        LDAP_BACK_C_NO                  (0x0U)
+#define        LDAP_BACK_C_YES                 (0x1U)
+static slap_verbmasks yn_mode[] = {
+       { BER_BVC( "yes" ),             LDAP_BACK_C_YES},
+       { BER_BVC( "no" ),              LDAP_BACK_C_NO },
+       { BER_BVNULL,                   0 }
+};
+
+static slap_verbmasks idassert_mode[] = {
+       { BER_BVC("self"),              LDAP_BACK_IDASSERT_SELF },
+       { BER_BVC("anonymous"),         LDAP_BACK_IDASSERT_ANONYMOUS },
+       { BER_BVC("none"),              LDAP_BACK_IDASSERT_NOASSERT },
+       { BER_BVC("legacy"),            LDAP_BACK_IDASSERT_LEGACY },
+       { BER_BVNULL,                   0 }
+};
+
+static slap_verbmasks tls_mode[] = {
+       { BER_BVC( "propagate" ),       LDAP_BACK_F_TLS_PROPAGATE_MASK },
+       { BER_BVC( "try-propagate" ),   LDAP_BACK_F_PROPAGATE_TLS },
+       { BER_BVC( "start" ),           LDAP_BACK_F_TLS_USE_MASK },
+       { BER_BVC( "try-start" ),       LDAP_BACK_F_USE_TLS },
+       { BER_BVC( "none" ),            LDAP_BACK_C_NO },
+       { BER_BVNULL,                   0 }
+};
+
+static slap_verbmasks t_f_mode[] = {
+       { BER_BVC( "yes" ),             LDAP_BACK_F_SUPPORT_T_F },
+       { BER_BVC( "discover" ),        LDAP_BACK_F_SUPPORT_T_F_DISCOVER },
+       { BER_BVC( "no" ),              LDAP_BACK_C_NO },
+       { BER_BVNULL,                   0 }
+};
+
+static int
+ldap_back_cf_gen( ConfigArgs *c )
+{
+       struct ldapinfo *li = ( struct ldapinfo * )c->be->be_private;
+       int             rc;
+       int             i;
+
+       if ( c->op == SLAP_CONFIG_EMIT ) {
+               struct berval   bv = BER_BVNULL;
+               rc = 0;
+
+               switch( c->type ) {
+               case LDAP_BACK_CFG_URI:
+                       if ( li->url != NULL ) {
+                               c->value_string = ch_strdup( li->url );
+
+                       } else {
+                               rc = 1;
+                       }
+                       break;
+
+               case LDAP_BACK_CFG_TLS:
+                       enum_to_verb( tls_mode, ( li->flags & LDAP_BACK_F_TLS_MASK ), &bv );
+                       if ( BER_BVISNULL( &bv ) ) {
+                               /* there's something wrong... */
+                               assert( 0 );
+                               rc = 1;
+
+                       } else {
+                               ber_dupbv( &c->value_bv, &bv );
+                       }
+                       break;
+
+               case LDAP_BACK_CFG_ACL_AUTHCDN:
+               case LDAP_BACK_CFG_ACL_PASSWD:
+               case LDAP_BACK_CFG_ACL_METHOD:
+                       /* handled by LDAP_BACK_CFG_ACL_BIND */
+                       rc = 1;
+                       break;
+
+               case LDAP_BACK_CFG_ACL_BIND: {
+                       int     i;
+
+                       bindconf_unparse( &li->acl_sb, &c->value_bv );
+
+                       for ( i = 0; isspace( c->value_bv.bv_val[ i ] ); i++ )
+                               /* count spaces */ ;
+
+                       if ( i ) {
+                               c->value_bv.bv_len -= i;
+                               AC_MEMCPY( c->value_bv.bv_val, &c->value_bv.bv_val[ i ],
+                                               c->value_bv.bv_len + 1 );
+                       }
+                       
+                       break;
+               }
+
+               case LDAP_BACK_CFG_IDASSERT_MODE:
+               case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
+               case LDAP_BACK_CFG_IDASSERT_PASSWD:
+               case LDAP_BACK_CFG_IDASSERT_METHOD:
+                       /* handled by LDAP_BACK_CFG_IDASSERT_BIND */
+                       rc = 1;
+                       break;
+
+               case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
+                       int             i;
+
+                       if ( li->idassert_authz == NULL ) {
+                               rc = 1;
+                               break;
+                       }
+
+                       for ( i = 0; !BER_BVISNULL( &li->idassert_authz[ i ] ); i++ )
+                       {
+                               struct berval   bv;
+
+                               ber_dupbv( &bv, &li->idassert_authz[ i ] );
+                               ber_bvarray_add( &c->rvalue_vals, &bv );
+                       }
+                       break;
+               }
+
+               case LDAP_BACK_CFG_IDASSERT_BIND: {
+                       int             i;
+                       struct berval   bv = BER_BVNULL,
+                                       bc = BER_BVNULL;
+                       char            *ptr;
+
+                       if ( li->idassert_authmethod != LDAP_AUTH_NONE ) {
+                               switch ( li->idassert_mode ) {
+                               case LDAP_BACK_IDASSERT_OTHERID:
+                               case LDAP_BACK_IDASSERT_OTHERDN:
+                                       break;
+
+                               default: {
+                                       struct berval   mode = BER_BVNULL;
+
+                                       enum_to_verb( idassert_mode, li->idassert_mode, &mode );
+                                       if ( BER_BVISNULL( &mode ) ) {
+                                               /* there's something wrong... */
+                                               assert( 0 );
+                                               rc = 1;
+       
+                                       } else {
+                                               bv.bv_len = STRLENOF( "mode=" ) + mode.bv_len;
+                                               bv.bv_val = ch_malloc( bv.bv_len + 1 );
+
+                                               ptr = lutil_strcopy( bv.bv_val, "mode=" );
+                                               ptr = lutil_strcopy( ptr, mode.bv_val );
+                                       }
+                                       break;
+                               }
+                               }
+
+                               if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+                                       ber_len_t       len = bv.bv_len + STRLENOF( "authz=native" );
+
+                                       if ( !BER_BVISEMPTY( &bv ) ) {
+                                               len += STRLENOF( " " );
+                                       }
+
+                                       bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
+
+                                       ptr = bv.bv_val + bv.bv_len;
+
+                                       if ( !BER_BVISEMPTY( &bv ) ) {
+                                               ptr = lutil_strcopy( ptr, " " );
+                                       }
+
+                                       (void)lutil_strcopy( ptr, "authz=native" );
+                               }
+
+                               if ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
+                                       ber_len_t       len = bv.bv_len + STRLENOF( "flags=override" );
+
+                                       if ( !BER_BVISEMPTY( &bv ) ) {
+                                               len += STRLENOF( " " );
+                                       }
+
+                                       bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
+
+                                       ptr = bv.bv_val + bv.bv_len;
+
+                                       if ( !BER_BVISEMPTY( &bv ) ) {
+                                               ptr = lutil_strcopy( ptr, " " );
+                                       }
+
+                                       (void)lutil_strcopy( ptr, "flags=override" );
+                               }
+                       }
+
+
+
+                       bindconf_unparse( &li->idassert_sb, &bc );
+
+                       if ( !BER_BVISNULL( &bv ) ) {
+                               char    *ptr;
+
+                               c->value_bv.bv_len = bv.bv_len + bc.bv_len;
+                               c->value_bv.bv_val = ch_realloc( bv.bv_val, c->value_bv.bv_len + 1 );
+
+                               assert( bc.bv_val[ 0 ] == ' ' );
+
+                               ptr = lutil_strcopy( c->value_bv.bv_val, bv.bv_val );
+                               (void)lutil_strcopy( ptr, bc.bv_val );
+
+                               free( bc.bv_val );
+
+                       } else {
+                               for ( i = 0; isspace( bc.bv_val[ i ] ); i++ )
+                                       /* count spaces */ ;
+
+                               if ( i ) {
+                                       bc.bv_len -= i;
+                                       AC_MEMCPY( bc.bv_val, &bc.bv_val[ i ], bc.bv_len + 1 );
+                               }
+
+                               c->value_bv = bv;
+                       }
+                       
+                       break;
+               }
+
+               case LDAP_BACK_CFG_REBIND:
+                       enum_to_verb( yn_mode, ( ( li->flags & LDAP_BACK_F_SAVECRED ) == LDAP_BACK_F_SAVECRED ), &bv );
+                       if ( BER_BVISNULL( &bv ) ) {
+                               /* there's something wrong... */
+                               assert( 0 );
+                               rc = 1;
+
+                       } else {
+                               ber_dupbv( &c->value_bv, &bv );
+                       }
+                       break;
+
+               case LDAP_BACK_CFG_CHASE:
+                       enum_to_verb( yn_mode, ( ( li->flags & LDAP_BACK_F_CHASE_REFERRALS ) == LDAP_BACK_F_CHASE_REFERRALS ), &bv );
+                       if ( BER_BVISNULL( &bv ) ) {
+                               /* there's something wrong... */
+                               assert( 0 );
+                               rc = 1;
+
+                       } else {
+                               ber_dupbv( &c->value_bv, &bv );
+                       }
+                       break;
+
+               case LDAP_BACK_CFG_T_F:
+                       enum_to_verb( t_f_mode, ( ( li->flags & LDAP_BACK_F_SUPPORT_T_F_MASK ) == LDAP_BACK_F_SUPPORT_T_F_MASK ), &bv );
+                       if ( BER_BVISNULL( &bv ) ) {
+                               /* there's something wrong... */
+                               assert( 0 );
+                               rc = 1;
+
+                       } else {
+                               ber_dupbv( &c->value_bv, &bv );
+                       }
+                       break;
+
+               case LDAP_BACK_CFG_WHOAMI:
+                       enum_to_verb( yn_mode, ( ( li->flags & LDAP_BACK_F_PROXY_WHOAMI ) == LDAP_BACK_F_PROXY_WHOAMI ), &bv );
+                       if ( BER_BVISNULL( &bv ) ) {
+                               /* there's something wrong... */
+                               assert( 0 );
+                               rc = 1;
+
+                       } else {
+                               ber_dupbv( &c->value_bv, &bv );
+                       }
+                       break;
+
+               default:
+                       /* we need to handle all... */
+                       assert( 0 );
+                       break;
+               }
+               return rc;
+
+       } else if ( c->op == LDAP_MOD_DELETE ) {
+               rc = 0;
+               switch( c->type ) {
+               case LDAP_BACK_CFG_URI:
+                       if ( li->url != NULL ) {
+                               ch_free( li->url );
+                               li->url = NULL;
+                       }
+
+                       if ( li->lud != NULL ) {
+                               ldap_free_urllist( li->lud );
+                               li->lud = NULL;
+                       }
+                       
+                       /* better cleanup the cached connections... */
+                       /* NOTE: don't worry about locking: if we got here,
+                        * other threads are suspended. */
+                       avl_free( li->conntree, ldap_back_conn_free );
+                       li->conntree = NULL;
+                       
+                       break;
+
+               case LDAP_BACK_CFG_TLS:
+               case LDAP_BACK_CFG_ACL_AUTHCDN:
+               case LDAP_BACK_CFG_ACL_PASSWD:
+               case LDAP_BACK_CFG_ACL_METHOD:
+                       /* handled by LDAP_BACK_CFG_ACL_BIND */
+                       rc = 1;
+                       break;
+
+               case LDAP_BACK_CFG_ACL_BIND:
+                       bindconf_free( &li->acl_sb );
+                       break;
+
+               case LDAP_BACK_CFG_IDASSERT_MODE:
+               case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
+               case LDAP_BACK_CFG_IDASSERT_PASSWD:
+               case LDAP_BACK_CFG_IDASSERT_METHOD:
+                       /* handled by LDAP_BACK_CFG_IDASSERT_BIND */
+                       rc = 1;
+                       break;
+
+               case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
+                       if ( li->idassert_authz != NULL ) {
+                               ber_bvarray_free( li->idassert_authz );
+                               li->idassert_authz = NULL;
+                       }
+                       break;
+
+               case LDAP_BACK_CFG_IDASSERT_BIND:
+                       bindconf_free( &li->idassert_sb );
+                       break;
+
+               case LDAP_BACK_CFG_REBIND:
+               case LDAP_BACK_CFG_CHASE:
+               case LDAP_BACK_CFG_T_F:
+               case LDAP_BACK_CFG_WHOAMI:
+                       rc = 1;
+                       break;
+
+               default:
+                       /* we need to handle all... */
+                       assert( 0 );
+                       break;
+               }
+               return rc;
+
+       }
+
+       switch( c->type ) {
+       case LDAP_BACK_CFG_URI: {
+               LDAPURLDesc     *tmpludp;
+               char            **urllist;
+               int             urlrc, i;
+
+               if ( c->argc != 2 ) {
+                       fprintf( stderr, "%s: line %d: "
+                                       "missing uri "
+                                       "in \"uri <uri>\" line\n",
+                                       c->fname, c->lineno );
+                       return 1;
+               }
+
+               if ( li->url != NULL ) {
+                       ch_free( li->url );
+               }
+
+               if ( li->lud != NULL ) {
+                       ldap_free_urllist( li->lud );
+               }
+
+#if 0
+               /* PARANOID: DN and more are not required nor allowed */
+               urlrc = ldap_url_parselist_ext( &li->lud, c->value_string, "\t" );
+#else
+               urlrc = ldap_url_parselist( &li->lud, c->value_string );
+#endif
+               if ( urlrc != LDAP_URL_SUCCESS ) {
+                       char    *why;
+
+                       switch ( urlrc ) {
+                       case LDAP_URL_ERR_MEM:
+                               why = "no memory";
+                               break;
+                       case LDAP_URL_ERR_PARAM:
+                               why = "parameter is bad";
+                               break;
+                       case LDAP_URL_ERR_BADSCHEME:
+                               why = "URL doesn't begin with \"[c]ldap[si]://\"";
+                               break;
+                       case LDAP_URL_ERR_BADENCLOSURE:
+                               why = "URL is missing trailing \">\"";
+                               break;
+                       case LDAP_URL_ERR_BADURL:
+                               why = "URL is bad";
+                       case LDAP_URL_ERR_BADHOST:
+                               why = "host/port is bad";
+                               break;
+                       case LDAP_URL_ERR_BADATTRS:
+                               why = "bad (or missing) attributes";
+                               break;
+                       case LDAP_URL_ERR_BADSCOPE:
+                               why = "scope string is invalid (or missing)";
+                               break;
+                       case LDAP_URL_ERR_BADFILTER:
+                               why = "bad or missing filter";
+                               break;
+                       case LDAP_URL_ERR_BADEXTS:
+                               why = "bad or missing extensions";
+                               break;
+                       default:
+                               why = "unknown reason";
+                               break;
+                       }
+                       fprintf( stderr, "%s: line %d: "
+                                       "unable to parse uri \"%s\" "
+                                       "in \"uri <uri>\" line: %s\n",
+                                       c->fname, c->lineno, c->value_string, why );
+                       return 1;
+               }
+
+               for ( i = 0, tmpludp = li->lud;
+                               tmpludp;
+                               i++, tmpludp = tmpludp->lud_next )
+               {
+                       if ( ( tmpludp->lud_dn != NULL
+                                               && tmpludp->lud_dn[0] != '\0' )
+                                       || tmpludp->lud_attrs != NULL
+                                       /* || tmpludp->lud_scope != LDAP_SCOPE_DEFAULT */
+                                       || tmpludp->lud_filter != NULL
+                                       || tmpludp->lud_exts != NULL )
+                       {
+                               fprintf( stderr, "%s: line %d: "
+                                               "warning, only protocol, "
+                                               "host and port allowed "
+                                               "in \"uri <uri>\" statement "
+                                               "for uri #%d of \"%s\"\n",
+                                               c->fname, c->lineno, i, c->value_string );
+                       }
+               }
+
+#if 0
+               for ( i = 0, tmpludp = li->lud;
+                               tmpludp;
+                               i++, tmpludp = tmpludp->lud_next )
+                       /* just count */
+               
+               urllist = ch_calloc( sizeof( char * ), i + 1 );
+
+               for ( i = 0, tmpludp = li->lud;
+                               tmpludp;
+                               i++, tmpludp = tmpludp->lud_next )
+               {
+                       LDAPURLDesc     tmplud;
+                       ber_len_t       oldlen = 0, len;
+
+                       tmplud = *tmpludp;
+                       tmplud.lud_dn = "";
+                       tmplud.lud_attrs = NULL;
+                       tmplud.lud_filter = NULL;
+                       if ( !ldap_is_ldapi_url( tmplud.lud_scheme ) ) {
+                               tmplud.lud_exts = NULL;
+                               tmplud.lud_crit_exts = 0;
+                       }
+
+                       urllist[ i ]  = ldap_url_desc2str( &tmplud );
+
+                       if ( urllist[ i ] == NULL ) {
+                               fprintf( stderr, "%s: line %d: "
+                                       "unable to rebuild uri "
+                                       "in \"uri <uri>\" statement "
+                                       "for \"%s\"\n",
+                                       c->fname, c->lineno, argv[ 1 ] );
+                               return 1;
+                       }
+               }
+
+               li->url = ldap_charray2str( urllist, " " );
+               ldap_charray_free( urllist );
+#else
+               li->url = ch_strdup( c->value_string );
+#endif
+               break;
+       }
+
+       case LDAP_BACK_CFG_TLS:
+               i = verb_to_mask( c->argv[1], tls_mode );
+               if ( BER_BVISNULL( &tls_mode[i].word ) ) {
+                       return 1;
+               }
+               li->flags &= ~LDAP_BACK_F_TLS_MASK;
+               li->flags |= tls_mode[i].mask;
+               break;
+
+       case LDAP_BACK_CFG_ACL_AUTHCDN:
+               switch ( li->acl_authmethod ) {
+               case LDAP_AUTH_NONE:
+                       li->acl_authmethod = LDAP_AUTH_SIMPLE;
+                       break;
+
+               case LDAP_AUTH_SIMPLE:
+                       break;
+
+               default:
+                       fprintf( stderr, "%s: line %d: "
+                               "\"acl-authcDN <DN>\" incompatible "
+                               "with auth method %d.",
+                               c->fname, c->lineno, li->acl_authmethod );
+                       return 1;
+               }
+               if ( !BER_BVISNULL( &li->acl_authcDN ) ) {
+                       free( li->acl_authcDN.bv_val );
+               }
+               li->acl_authcDN = c->value_ndn;
+               break;
+
+       case LDAP_BACK_CFG_ACL_PASSWD:
+               switch ( li->acl_authmethod ) {
+               case LDAP_AUTH_NONE:
+                       li->acl_authmethod = LDAP_AUTH_SIMPLE;
+                       break;
+
+               case LDAP_AUTH_SIMPLE:
+                       break;
+
+               default:
+                       fprintf( stderr, "%s: line %d: "
+                               "\"acl-passwd <cred>\" incompatible "
+                               "with auth method %d.",
+                               c->fname, c->lineno, li->acl_authmethod );
+                       return 1;
+               }
+               if ( !BER_BVISNULL( &li->acl_passwd ) ) {
+                       free( li->acl_passwd.bv_val );
+               }
+               li->acl_passwd = c->value_bv;
+               break;
+
+       case LDAP_BACK_CFG_ACL_METHOD:
+       case LDAP_BACK_CFG_ACL_BIND:
+               for ( i = 1; i < c->argc; i++ ) {
+                       if ( bindconf_parse( c->argv[ i ], &li->acl_sb ) ) {
+                               return 1;
+                       }
+               }
+               break;
+
+       case LDAP_BACK_CFG_IDASSERT_MODE:
+               i = verb_to_mask( c->argv[1], idassert_mode );
+               if ( BER_BVISNULL( &idassert_mode[i].word ) ) {
+                       if ( strncasecmp( c->argv[1], "u:", STRLENOF( "u:" ) ) == 0 ) {
+                               li->idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
+                               ber_str2bv( c->argv[1], 0, 1, &li->idassert_authzID );
+                               li->idassert_authzID.bv_val[ 0 ] = 'u';
+                               
+                       } else {
+                               struct berval   id, ndn;
+
+                               ber_str2bv( c->argv[1], 0, 0, &id );
+
+                               if ( strncasecmp( c->argv[1], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
+                                       id.bv_val += STRLENOF( "dn:" );
+                                       id.bv_len -= STRLENOF( "dn:" );
+                               }
+
+                               rc = dnNormalize( 0, NULL, NULL, &id, &ndn, NULL );
+                                if ( rc != LDAP_SUCCESS ) {
+                                        Debug( LDAP_DEBUG_ANY,
+                                                "%s: line %d: idassert ID \"%s\" is not a valid DN\n",
+                                                c->fname, c->lineno, c->argv[1] );
+                                        return 1;
+                                }
+
+                                li->idassert_authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
+                                li->idassert_authzID.bv_val = ch_malloc( li->idassert_authzID.bv_len + 1 );
+                                AC_MEMCPY( li->idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
+                                AC_MEMCPY( &li->idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], ndn.bv_val, ndn.bv_len + 1 );
+                                ch_free( ndn.bv_val );
+
+                                li->idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
+                       }
+
+               } else {
+                       li->idassert_mode = idassert_mode[i].mask;
+               }
+
+               if ( c->argc > 2 ) {
+                       int     i;
+
+                       for ( i = 2; i < c->argc; i++ ) {
+                               if ( strcasecmp( c->argv[ i ], "override" ) == 0 ) {
+                                       li->idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
+
+                               } else {
+                                       Debug( LDAP_DEBUG_ANY,
+                                               "%s: line %d: unknown flag #%d "
+                                               "in \"idassert-mode <args> "
+                                               "[<flags>]\" line.\n",
+                                               c->fname, c->lineno, i - 2 );
+                                       return 1;
+                               }
+                        }
+                }
+               break;
+
+       case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
+               switch ( li->idassert_authmethod ) {
+               case LDAP_AUTH_NONE:
+                       li->idassert_authmethod = LDAP_AUTH_SIMPLE;
+                       break;
+
+               case LDAP_AUTH_SIMPLE:
+                       break;
+
+               default:
+                       fprintf( stderr, "%s: line %d: "
+                               "\"idassert-authcDN <DN>\" incompatible "
+                               "with auth method %d.",
+                               c->fname, c->lineno, li->idassert_authmethod );
+                       return 1;
+               }
+               if ( !BER_BVISNULL( &li->idassert_authcDN ) ) {
+                       free( li->idassert_authcDN.bv_val );
+               }
+               li->idassert_authcDN = c->value_ndn;
+               break;
+
+       case LDAP_BACK_CFG_IDASSERT_PASSWD:
+               switch ( li->idassert_authmethod ) {
+               case LDAP_AUTH_NONE:
+                       li->idassert_authmethod = LDAP_AUTH_SIMPLE;
+                       break;
+
+               case LDAP_AUTH_SIMPLE:
+                       break;
+
+               default:
+                       fprintf( stderr, "%s: line %d: "
+                               "\"idassert-passwd <cred>\" incompatible "
+                               "with auth method %d.",
+                               c->fname, c->lineno, li->idassert_authmethod );
+                       return 1;
+               }
+               if ( !BER_BVISNULL( &li->idassert_passwd ) ) {
+                       free( li->idassert_passwd.bv_val );
+               }
+               li->idassert_passwd = c->value_bv;
+               break;
+
+       case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
+               ber_bvarray_add( &li->idassert_authz, &c->value_bv );
+               break;
+
+       case LDAP_BACK_CFG_IDASSERT_METHOD:
+               /* no longer supported */
+               fprintf( stderr, "%s: %d: "
+                       "\"idassert-method <args>\": "
+                       "no longer supported; use \"idassert-bind\".\n",
+                       c->fname, c->lineno );
+               return 1;
+
+       case LDAP_BACK_CFG_IDASSERT_BIND:
+               for ( i = 1; i < c->argc; i++ ) {
+                       if ( strncasecmp( c->argv[ i ], "mode=", STRLENOF( "mode=" ) ) == 0 ) {
+                               char    *argvi = c->argv[ i ] + STRLENOF( "mode=" );
+                               int     j;
+
+                               j = verb_to_mask( argvi, idassert_mode );
+                               if ( BER_BVISNULL( &idassert_mode[ j ].word ) ) {
+                                       fprintf( stderr, "%s: %d: "
+                                               "\"idassert-bind <args>\": "
+                                               "unknown mode \"%s\".\n",
+                                               c->fname, c->lineno, argvi );
+                                       return 1;
+                               }
+
+                               li->idassert_mode = idassert_mode[ j ].mask;
+
+                       } else if ( strncasecmp( c->argv[ i ], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
+                               char    *argvi = c->argv[ i ] + STRLENOF( "authz=" );
+
+                               if ( strcasecmp( argvi, "native" ) == 0 ) {
+                                       if ( li->idassert_authmethod != LDAP_AUTH_SASL ) {
+                                               fprintf( stderr, "%s: %d: "
+                                                       "\"idassert-bind <args>\": "
+                                                       "authz=\"native\" incompatible "
+                                                       "with auth method.\n",
+                                                       c->fname, c->lineno );
+                                               return 1;
+                                       }
+                                       li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
+
+                               } else if ( strcasecmp( argvi, "proxyAuthz" ) == 0 ) {
+                                       li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
+
+                               } else {
+                                       fprintf( stderr, "%s: %d: "
+                                               "\"idassert-bind <args>\": "
+                                               "unknown authz \"%s\".\n",
+                                               c->fname, c->lineno, argvi );
+                                       return 1;
+                               }
+
+                       } else if ( strncasecmp( c->argv[ i ], "flags=", STRLENOF( "flags=" ) ) == 0 ) {
+                               char    *argvi = c->argv[ i ] + STRLENOF( "flags=" );
+                               char    **flags = ldap_str2charray( argvi, "," );
+                               int     j;
+
+                               if ( flags == NULL ) {
+                                       fprintf( stderr, "%s: %d: "
+                                               "\"idassert-bind <args>\": "
+                                               "unable to parse flags \"%s\".\n",
+                                               c->fname, c->lineno, argvi );
+                                       return 1;
+                               }
+
+                               for ( j = 0; flags[ j ] != NULL; j++ ) {
+                                       if ( strcasecmp( flags[ j ], "override" ) == 0 ) {
+                                               li->idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
+
+                                       } else {
+                                               fprintf( stderr, "%s: %d: "
+                                                       "\"idassert-bind <args>\": "
+                                                       "unknown flag \"%s\".\n",
+                                                       c->fname, c->lineno, flags[ j ] );
+                                               return 1;
+                                       }
+                               }
+
+                               ldap_charray_free( flags );
+
+                       } else if ( bindconf_parse( c->argv[ i ], &li->idassert_sb ) ) {
+                               return 1;
+                       }
+               }
+               break;
+
+       case LDAP_BACK_CFG_REBIND: {
+               int     dorebind = 0;
+
+               if ( c->argc == 1 ) {
+                       /* legacy */
+                       dorebind = 1;
+
+               } else {
+                       i = verb_to_mask( c->argv[1], yn_mode );
+                       if ( BER_BVISNULL( &yn_mode[i].word ) ) {
+                               return 1;
+                       }
+                       if ( yn_mode[i].mask & LDAP_BACK_C_YES ) {
+                               dorebind = 1;
+                       }
+               }
+
+               if ( dorebind ) {
+                       li->flags |= LDAP_BACK_F_SAVECRED;
+
+               } else {
+                       li->flags &= ~LDAP_BACK_F_SAVECRED;
+               }
+               break;
+       }
+
+       case LDAP_BACK_CFG_CHASE: {
+               int     dochase = 0;
+
+               if ( c->argc == 1 ) {
+                       /* legacy */
+                       dochase = 1;
+
+               } else {
+                       i = verb_to_mask( c->argv[1], yn_mode );
+                       if ( BER_BVISNULL( &yn_mode[i].word ) ) {
+                               return 1;
+                       }
+                       if ( yn_mode[i].mask & LDAP_BACK_C_YES ) {
+                               dochase = 1;
+                       }
+               }
+
+               if ( dochase ) {
+                       li->flags |= LDAP_BACK_F_CHASE_REFERRALS;
+
+               } else {
+                       li->flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
+               }
+               break;
+       }
+
+       case LDAP_BACK_CFG_T_F:
+               i = verb_to_mask( c->argv[1], t_f_mode );
+               if ( BER_BVISNULL( &t_f_mode[i].word ) ) {
+                       return 1;
+               }
+               li->flags &= ~LDAP_BACK_F_SUPPORT_T_F_MASK;
+               li->flags |= t_f_mode[i].mask;
+               break;
+
+       case LDAP_BACK_CFG_WHOAMI: {
+               int     dowhoami = 0;
+
+               if ( c->argc == 1 ) {
+                       /* legacy */
+                       dowhoami = 1;
+
+               } else {
+                       i = verb_to_mask( c->argv[1], yn_mode );
+                       if ( BER_BVISNULL( &yn_mode[i].word ) ) {
+                               return 1;
+                       }
+                       if ( yn_mode[i].mask & LDAP_BACK_C_YES ) {
+                               dowhoami = 1;
+                       }
+               }
+
+               if ( dowhoami ) {
+                       li->flags |= LDAP_BACK_F_PROXY_WHOAMI;
+
+                       load_extop( (struct berval *)&slap_EXOP_WHOAMI,
+                                       0, ldap_back_exop_whoami );
+
+               } else {
+                       li->flags &= ~LDAP_BACK_F_PROXY_WHOAMI;
+               }
+               break;
+       }
+
+       case LDAP_BACK_CFG_REWRITE:
+               fprintf( stderr, "%s: line %d: "
+                       "rewrite/remap capabilities have been moved "
+                       "to the \"rwm\" overlay; see slapo-rwm(5) "
+                       "for details (hint: add \"overlay rwm\" "
+                       "and prefix all directives with \"rwm-\").\n",
+                       c->fname, c->lineno );
+               return 1;
+               
+       default:
+               assert( 0 );
+       }
+
+       return 0;
+}
+
+int
+ldap_back_init_cf( BackendInfo *bi )
+{
+       int                     rc;
+       AttributeDescription    *ad = NULL;
+       const char              *text;
+
+       bi->bi_cf_ocs = ldapocs;
+
+       rc = config_register_schema( ldapcfg, ldapocs );
+       if ( rc ) {
+               return rc;
+       }
+
+       /* setup olcDbAclPasswd and olcDbIDAssertPasswd 
+        * to be base64-encoded when written in LDIF form;
+        * basically, we don't care if it fails */
+       rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
+       if ( rc ) {
+               Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
+                       "warning, unable to get \"olcDbACLPasswd\" "
+                       "attribute description: %d: %s\n",
+                       rc, text, 0 );
+       } else {
+               (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
+                       ad->ad_type->sat_oid );
+       }
+
+       ad = NULL;
+       rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
+       if ( rc ) {
+               Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
+                       "warning, unable to get \"olcDbIDAssertPasswd\" "
+                       "attribute description: %d: %s\n",
+                       rc, text, 0 );
+       } else {
+               (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
+                       ad->ad_type->sat_oid );
+       }
+
+       return 0;
+}
+
+
 static int
 parse_idassert( BackendDB *be, const char *fname, int lineno,
                int argc, char **argv );
@@ -61,36 +1142,17 @@ ldap_back_db_config(
                return 1;
        }
 
-       /* server address to query (depricated, use "uri" directive) */
+       /* server address to query (no longer supported, use "uri" directive) */
        if ( strcasecmp( argv[0], "server" ) == 0 ) {
-               ber_len_t       l;
-
                fprintf( stderr,
-       "%s: line %d: \"server <address>\" directive is deprecated\n",
-                                       fname, lineno );
-
-               if ( argc != 2 ) {
-                       fprintf( stderr,
-       "%s: line %d: missing address in \"server <address>\" line\n",
+       "%s: line %d: \"server <address>\" directive is no longer supported.\n",
                                        fname, lineno );
-                       return 1;
-               }
-               if ( li->url != NULL ) {
-                       ch_free( li->url );
-               }
-
-               l = strlen( argv[1] ) + STRLENOF( "ldap:///") + 1;
-               li->url = ch_calloc( l, sizeof( char ) );
-               if ( li->url == NULL ) {
-                       fprintf( stderr, "%s: line %d: malloc failed\n" );
-                       return 1;
-               }
-
-               snprintf( li->url, l, "ldap://%s/", argv[1] );
+               return 1;
 
-       /* URI of server to query (preferred over "server" directive) */
+       /* URI of server to query (obsoletes "server" directive) */
        } else if ( strcasecmp( argv[0], "uri" ) == 0 ) {
                LDAPURLDesc     *tmpludp;
+               char            **urllist;
                int             urlrc, i;
 
                if ( argc != 2 ) {
@@ -111,7 +1173,7 @@ ldap_back_db_config(
                /* PARANOID: DN and more are not required nor allowed */
                urlrc = ldap_url_parselist_ext( &li->lud, argv[ 1 ], "\t" );
 #else
-               urlrc =  ldap_url_parselist( &li->lud, argv[ 1 ] );
+               urlrc = ldap_url_parselist( &li->lud, argv[ 1 ] );
 #endif
                if ( urlrc != LDAP_URL_SUCCESS ) {
                        char    *why;
@@ -164,6 +1226,7 @@ ldap_back_db_config(
                        if ( ( tmpludp->lud_dn != NULL
                                                && tmpludp->lud_dn[0] != '\0' )
                                        || tmpludp->lud_attrs != NULL
+                                       /* || tmpludp->lud_scope != LDAP_SCOPE_DEFAULT */
                                        || tmpludp->lud_filter != NULL
                                        || tmpludp->lud_exts != NULL )
                        {
@@ -177,23 +1240,32 @@ ldap_back_db_config(
                }
 
 #if 0
-               for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) {
+               for ( i = 0, tmpludp = li->lud;
+                               tmpludp;
+                               i++, tmpludp = tmpludp->lud_next )
+                       /* just count */
+               
+               urllist = ch_calloc( sizeof( char * ), i + 1 );
+
+               for ( i = 0, tmpludp = li->lud;
+                               tmpludp;
+                               i++, tmpludp = tmpludp->lud_next )
+               {
                        LDAPURLDesc     tmplud;
-                       char            *tmpurl;
                        ber_len_t       oldlen = 0, len;
 
                        tmplud = *tmpludp;
                        tmplud.lud_dn = "";
                        tmplud.lud_attrs = NULL;
                        tmplud.lud_filter = NULL;
-                       if ( !ldap_is_ldapi_url( argv[ 1 ] ) ) {
+                       if ( !ldap_is_ldapi_url( tmplud.lud_scheme ) ) {
                                tmplud.lud_exts = NULL;
                                tmplud.lud_crit_exts = 0;
                        }
 
-                       tmpurl = ldap_url_desc2str( &tmplud );
+                       urllist[ i ]  = ldap_url_desc2str( &tmplud );
 
-                       if ( tmpurl == NULL ) {
+                       if ( urllist[ i ] == NULL ) {
                                fprintf( stderr, "%s: line %d: "
                                        "unable to rebuild uri "
                                        "in \"uri <uri>\" statement "
@@ -201,18 +1273,10 @@ ldap_back_db_config(
                                        fname, lineno, argv[ 1 ] );
                                return 1;
                        }
-
-                       len = strlen( tmpurl );
-                       if ( li->url ) {
-                               oldlen = strlen( li->url ) + STRLENOF( " " );
-                       }
-                       li->url = ch_realloc( li->url, oldlen + len + 1);
-                       if ( oldlen ) {
-                               li->url[oldlen - 1] = " ";
-                       }
-                       AC_MEMCPY( &li->url[oldlen], tmpurl, len + 1 );
-                       ch_free( tmpurl );
                }
+
+               li->url = ldap_charray2str( urllist, " " );
+               ldap_charray_free( urllist );
 #else
                li->url = ch_strdup( argv[ 1 ] );
 #endif
@@ -225,9 +1289,13 @@ ldap_back_db_config(
                        return( 1 );
                }
 
-               /* start */
-               if ( strcasecmp( argv[1], "start" ) == 0 ) {
-                       li->flags |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+               /* none */
+               if ( strcasecmp( argv[1], "none" ) == 0 ) {
+                       li->flags &= ~LDAP_BACK_F_TLS_MASK;
+       
+               /* try start tls */
+               } else if ( strcasecmp( argv[1], "start" ) == 0 ) {
+                       li->flags |= LDAP_BACK_F_TLS_USE_MASK;
        
                /* try start tls */
                } else if ( strcasecmp( argv[1], "try-start" ) == 0 ) {
@@ -236,7 +1304,7 @@ ldap_back_db_config(
        
                /* propagate start tls */
                } else if ( strcasecmp( argv[1], "propagate" ) == 0 ) {
-                       li->flags |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+                       li->flags |= LDAP_BACK_F_TLS_PROPAGATE_MASK;
                
                /* try start tls */
                } else if ( strcasecmp( argv[1], "try-propagate" ) == 0 ) {
@@ -270,18 +1338,41 @@ ldap_back_db_config(
 
        /* save bind creds for referral rebinds? */
        } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
-               if ( argc != 1 ) {
+               switch ( argc ) {
+               case 1:
+                       fprintf( stderr,
+       "%s: line %d: \"rebind-as-user {NO|yes}\": use without args is deprecated.\n",
+                               fname, lineno );
+       
+                       li->flags |= LDAP_BACK_F_SAVECRED;
+                       break;
+
+               case 2:
+                       if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) {
+                               li->flags |= LDAP_BACK_F_SAVECRED;
+
+                       } else if ( strcasecmp( argv[ 1 ], "no" ) == 0 ) {
+                               li->flags &= ~LDAP_BACK_F_SAVECRED;
+
+                       } else {
+                               fprintf( stderr,
+       "%s: line %d: \"rebind-as-user {NO|yes}\": unknown argument \"%s\".\n",
+                                       fname, lineno, argv[ 1 ] );
+                               return( 1 );
+                       }
+                       break;
+
+               default:
                        fprintf( stderr,
-       "%s: line %d: \"rebind-as-user\" takes no arguments\n",
+       "%s: line %d: \"rebind-as-user {NO|yes}\" needs 1 argument.\n",
                                        fname, lineno );
                        return( 1 );
                }
-               li->flags |= LDAP_BACK_F_SAVECRED;
 
        } else if ( strcasecmp( argv[0], "chase-referrals" ) == 0 ) {
                if ( argc != 2 ) {
                        fprintf( stderr,
-       "%s: line %d: \"chase-referrals\" needs 1 argument.\n",
+       "%s: line %d: \"chase-referrals {YES|no}\" needs 1 argument.\n",
                                        fname, lineno );
                        return( 1 );
                }
@@ -295,7 +1386,7 @@ ldap_back_db_config(
 
                } else {
                        fprintf( stderr,
-               "%s: line %d: \"chase-referrals {yes|no}\": unknown argument \"%s\".\n",
+               "%s: line %d: \"chase-referrals {YES|no}\": unknown argument \"%s\".\n",
                                        fname, lineno, argv[1] );
                        return( 1 );
                }
@@ -303,7 +1394,7 @@ ldap_back_db_config(
        } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
                if ( argc != 2 ) {
                        fprintf( stderr,
-               "%s: line %d: \"t-f-support {no|yes|discover}\" needs 1 argument.\n",
+               "%s: line %d: \"t-f-support {NO|yes|discover}\" needs 1 argument.\n",
                                        fname, lineno );
                        return( 1 );
                }
@@ -319,21 +1410,49 @@ ldap_back_db_config(
 
                } else {
                        fprintf( stderr,
-       "%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n",
+       "%s: line %d: \"t-f-support {NO|yes|discover}\": unknown argument \"%s\".\n",
                                fname, lineno, argv[ 1 ] );
                        return 1;
                }
 
        /* intercept exop_who_am_i? */
        } else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
-               if ( argc != 1 ) {
+               int     doload_extop = 0;
+
+               switch ( argc ) {
+               case 1:
+                       fprintf( stderr,
+       "%s: line %d: \"proxy-whoami {NO|yes}\": use without args is deprecated.\n",
+                               fname, lineno );
+       
+                       doload_extop = 1;
+                       break;
+
+               case 2:
+                       if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) {
+                               doload_extop = 1;
+
+                       } else if ( strcasecmp( argv[ 1 ], "no" ) != 0 ) {
+                               fprintf( stderr,
+       "%s: line %d: \"proxy-whoami {NO|yes}\": unknown argument \"%s\".\n",
+                                       fname, lineno, argv[ 1 ] );
+                               return( 1 );
+                       }
+                       break;
+
+               default:
                        fprintf( stderr,
-       "%s: line %d: proxy-whoami takes no arguments\n",
+       "%s: line %d: \"proxy-whoami {NO|yes}\" needs 1 argument.\n",
                                        fname, lineno );
                        return( 1 );
                }
-               load_extop( (struct berval *)&slap_EXOP_WHOAMI,
-                               0, ldap_back_exop_whoami );
+
+               if ( doload_extop ) {
+                       li->flags |= LDAP_BACK_F_PROXY_WHOAMI;
+
+                       load_extop( (struct berval *)&slap_EXOP_WHOAMI,
+                                       0, ldap_back_exop_whoami );
+               }
 
        /* FIXME: legacy: intercept old rewrite/remap directives
         * and try to start the rwm overlay */
@@ -341,6 +1460,7 @@ ldap_back_db_config(
                        || strcasecmp( argv[0], "map" ) == 0
                        || strncasecmp( argv[0], "rewrite", STRLENOF( "rewrite" ) ) == 0 )
        {
+#if 0
                fprintf( stderr, "%s: line %d: "
                        "rewrite/remap capabilities have been moved "
                        "to the \"rwm\" overlay; see slapo-rwm(5) "
@@ -371,8 +1491,16 @@ ldap_back_db_config(
 
                        return ( *be->bd_info->bi_db_config )( be, fname, lineno, argc, argv );
                }
+#else
+               fprintf( stderr, "%s: line %d: "
+                       "rewrite/remap capabilities have been moved "
+                       "to the \"rwm\" overlay; see slapo-rwm(5) "
+                       "for details (hint: add \"overlay rwm\" "
+                       "and prefix all directives with \"rwm-\").\n",
+                       fname, lineno );
+#endif
 
-               return SLAP_CONF_UNKNOWN;
+               return 1;
        
        /* anything else */
        } else {
@@ -407,7 +1535,7 @@ ldap_back_exop_whoami(
                LDAPMessage *res;
                Operation op2 = *op;
                ber_int_t msgid;
-               int do_retry = 1;
+               int doretry = 1;
 
                ctrls[0] = &c;
                op2.o_ndn = op->o_conn->c_ndn;
@@ -428,8 +1556,8 @@ retry:
                        if (ldap_result(lc->lc_ld, msgid, 1, NULL, &res) == -1) {
                                ldap_get_option(lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
                                        &rs->sr_err);
-                               if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
-                                       do_retry = 0;
+                               if ( rs->sr_err == LDAP_SERVER_DOWN && doretry ) {
+                                       doretry = 0;
                                        if ( ldap_back_retry( lc, op, rs, LDAP_BACK_SENDERR ) )
                                                goto retry;
                                }
@@ -646,14 +1774,54 @@ parse_idassert(
                        }
 
                } else if ( strcasecmp( argv1, "simple" ) == 0 ) {
-                       li->idassert_authmethod = LDAP_AUTH_SIMPLE;
+                       int     arg;
 
-                       if ( argc != 2 ) {
-                               fprintf( stderr,
-       "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n",
-                                       fname, lineno, argv[0], argv[1] );
+                       for ( arg = 2; arg < argc; arg++ ) {
+                               if ( strncasecmp( argv[arg], "authcdn=", STRLENOF( "authcdn=" ) ) == 0 ) {
+                                       char            *val = argv[arg] + STRLENOF( "authcdn=" );
+                                       struct berval   dn;
+                                       int             rc;
+
+                                       if ( !BER_BVISNULL( &li->idassert_authcDN ) ) {
+                                               fprintf( stderr, "%s: line %d: "
+                                                               "SASL authcDN already defined; replacing...\n",
+                                                               fname, lineno );
+                                               ch_free( li->idassert_authcDN.bv_val );
+                                       }
+                                       if ( strncasecmp( argv[arg], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
+                                               val += STRLENOF( "dn:" );
+                                       }
+
+                                       ber_str2bv( val, 0, 0, &dn );
+                                       rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_authcDN, NULL );
+                                       if ( rc != LDAP_SUCCESS ) {
+                                               Debug( LDAP_DEBUG_ANY,
+                                                       "%s: line %d: SASL authcdn \"%s\" is not a valid DN\n",
+                                                       fname, lineno, val );
+                                               return 1;
+                                       }
+
+                               } else if ( strncasecmp( argv[arg], "cred=", STRLENOF( "cred=" ) ) == 0 ) {
+                                       char    *val = argv[arg] + STRLENOF( "cred=" );
+
+                                       if ( !BER_BVISNULL( &li->idassert_passwd ) ) {
+                                               fprintf( stderr, "%s: line %d: "
+                                                               "SASL cred already defined; replacing...\n",
+                                                               fname, lineno );
+                                               ch_free( li->idassert_passwd.bv_val );
+                                       }
+                                       ber_str2bv( val, 0, 1, &li->idassert_passwd );
+
+                               } else {
+                                       fprintf( stderr, "%s: line %d: "
+                                                       "unknown parameter %s\n",
+                                                       fname, lineno, argv[arg] );
+                                       return 1;
+                               }
                        }
 
+                       li->idassert_authmethod = LDAP_AUTH_SIMPLE;
+
                } else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
 #ifdef HAVE_CYRUS_SASL
                        int     arg;

diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c
index 2c6d296f5c7c1bbc14720bd4a309b3825a26b84f..3a16c4d8185125c55d23f5a84d140a7bb80a0091 100644 (file)
--- a/servers/slapd/back-ldap/search.c
+++ b/servers/slapd/back-ldap/search.c
@@ -275,8 +275,8 @@ fail:;
                                rs->sr_operational_attrs = NULL;
                                rs->sr_flags = 0;
                                abort = send_search_entry( op, rs );
-                               if ( !BER_BVISNULL( &ent.e_name ) && ( ent.e_name.bv_val != bdn.bv_val ) )
-                               {
+                               if ( !BER_BVISNULL( &ent.e_name ) ) {
+                                       assert( ent.e_name.bv_val != bdn.bv_val );
                                        free( ent.e_name.bv_val );
                                        BER_BVZERO( &ent.e_name );
                                }

diff --git a/servers/slapd/back-ldbm/add.c b/servers/slapd/back-ldbm/add.c
index 25cb07cc0b6e9ab8a02607b2db4da503e6e6defd..39b03af185049c18647e2d3224afd6a9a163c0d7 100644 (file)
--- a/servers/slapd/back-ldbm/add.c
+++ b/servers/slapd/back-ldbm/add.c
@@ -46,7 +46,7 @@ ldbm_back_add(
                op->o_req_dn.bv_val, 0, 0);
        
        rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL,
-               &rs->sr_text, textbuf, textlen );
+               get_manageDIT(op), &rs->sr_text, textbuf, textlen );
 
        if ( rs->sr_err != LDAP_SUCCESS ) {
                Debug( LDAP_DEBUG_TRACE, "entry failed schema check: %s\n",

diff --git a/servers/slapd/back-ldbm/modify.c b/servers/slapd/back-ldbm/modify.c
index 3e34178d209f796f1b97300d9e1dc52202a492e6..51d10c269197ab37358f2242a8df3fde6d3a36ae 100644 (file)
--- a/servers/slapd/back-ldbm/modify.c
+++ b/servers/slapd/back-ldbm/modify.c
@@ -164,8 +164,8 @@ int ldbm_modify_internal(
        }
 
        /* check that the entry still obeys the schema */
-       rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen );
-
+       rc = entry_schema_check( op->o_bd, e, save_attrs, get_manageDIT(op),
+               text, textbuf, textlen );
        if ( rc != LDAP_SUCCESS ) {
                Debug( LDAP_DEBUG_ANY, "entry failed schema check: %s\n",
                        *text, 0, 0 );

diff --git a/servers/slapd/back-ldif/ldif.c b/servers/slapd/back-ldif/ldif.c
index 10f7a523d10e37946a74f3ae87b96bda52e97dca..a59fe576ebda46207f1847634f53095cbc394193 100644 (file)
--- a/servers/slapd/back-ldif/ldif.c
+++ b/servers/slapd/back-ldif/ldif.c
@@ -332,11 +332,12 @@ static int r_enum_tree(enumCookie *ck, struct berval *path,
                                                ck->op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL
                                                        ? LDAP_SCOPE_BASE : LDAP_SCOPE_SUBTREE );
 
+                               ck->rs->sr_entry = e;
                                rc = send_search_reference( ck->op, ck->rs );
-
                                ber_bvarray_free( ck->rs->sr_ref );
                                ber_bvarray_free( erefs );
                                ck->rs->sr_ref = NULL;
+                               ck->rs->sr_entry = NULL;
 
                        } else if ( test_filter( ck->op, e, ck->op->ors_filter ) == LDAP_COMPARE_TRUE )
                        {
@@ -344,6 +345,7 @@ static int r_enum_tree(enumCookie *ck, struct berval *path,
                                ck->rs->sr_attrs = ck->op->ors_attrs;
                                ck->rs->sr_flags = REP_ENTRY_MODIFIABLE;
                                rc = send_search_entry(ck->op, ck->rs);
+                               ck->rs->sr_entry = NULL;
                        }
                        fd = 1;
                        if ( rc )
@@ -553,8 +555,8 @@ static int apply_modify_to_entry(Entry * entry,
                        entry->e_ocflags = 0;
                }
                /* check that the entry still obeys the schema */
-               rc = entry_schema_check(op->o_bd, entry, NULL,
-                                 &rs->sr_text, textbuf, sizeof( textbuf ) );
+               rc = entry_schema_check(op->o_bd, entry, NULL, 0,
+                         &rs->sr_text, textbuf, sizeof( textbuf ) );
        }
        return rc;
 }
@@ -760,8 +762,8 @@ static int ldif_back_add(Operation *op, SlapReply *rs) {
        int statres;
        char textbuf[SLAP_TEXT_BUFLEN];
 
-       rs->sr_err = entry_schema_check(op->o_bd, e,
-                                 NULL, &rs->sr_text, textbuf, sizeof( textbuf ) );
+       rs->sr_err = entry_schema_check(op->o_bd, e, NULL, 0,
+               &rs->sr_text, textbuf, sizeof( textbuf ) );
        if ( rs->sr_err != LDAP_SUCCESS ) goto send_res;
                                
        ldap_pvt_thread_mutex_lock(&ni->li_mutex);

diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 34c23de5118e2746e4acd20669fd0db4eac323d5..fff12ab2159b27ec0bc361cb8424ab72bea74370 100644 (file)
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -942,8 +942,10 @@ meta_send_entry(
        rs->sr_entry = NULL;
        rs->sr_attrs = NULL;
        
-       if ( !BER_BVISNULL( &ent.e_name ) && ent.e_name.bv_val != bdn.bv_val ) {
-               free( ent.e_name.bv_val );
+       if ( !BER_BVISNULL( &ent.e_name ) ) {
+               if ( ent.e_name.bv_val != bdn.bv_val ) {
+                       free( ent.e_name.bv_val );
+               }
                BER_BVZERO( &ent.e_name );
        }
        if ( !BER_BVISNULL( &ent.e_nname ) ) {

diff --git a/servers/slapd/back-monitor/back-monitor.h b/servers/slapd/back-monitor/back-monitor.h
index 511c4c48abe57fb6a20fe48a5931a436c202e374..8cd40f186b748a492bf06880741071bdf20e2bd0 100644 (file)
--- a/servers/slapd/back-monitor/back-monitor.h
+++ b/servers/slapd/back-monitor/back-monitor.h
@@ -121,6 +121,7 @@ typedef struct monitor_info_t {
        AttributeDescription    *mi_ad_monitorConnectionStartTime;
        AttributeDescription    *mi_ad_monitorConnectionActivityTime;
        AttributeDescription    *mi_ad_monitorIsShadow;
+       AttributeDescription    *mi_ad_monitorUpdateRef;
 
        /*
         * Generic description attribute

diff --git a/servers/slapd/back-monitor/database.c b/servers/slapd/back-monitor/database.c
index 267042d8ee21a16cf2dda0fbb8951efa09ccc5fb..f6d5d94a800c360b2b84911b698ef4e33e5e02da 100644 (file)
--- a/servers/slapd/back-monitor/database.c
+++ b/servers/slapd/back-monitor/database.c
@@ -247,6 +247,11 @@ monitor_subsys_database_init(
                (void)init_readOnly( mi, e, be->be_restrictops );
                (void)init_restrictedOperation( mi, e, be->be_restrictops );
 
+               if ( SLAP_SHADOW( be ) && be->be_update_refs ) {
+                       attr_merge_normalize( e, mi->mi_ad_monitorUpdateRef,
+                                       be->be_update_refs, NULL );
+               }
+
                if ( oi != NULL ) {
                        slap_overinst   *on = oi->oi_list,
                                        *on1 = on;

diff --git a/servers/slapd/back-monitor/init.c b/servers/slapd/back-monitor/init.c
index 08ce16f5fd98f4ed4ee02cdc48015f27782a894d..df6a08a99006f8d4b18d3e243d79386e521b432b 100644 (file)
--- a/servers/slapd/back-monitor/init.c
+++ b/servers/slapd/back-monitor/init.c
@@ -1166,6 +1166,13 @@ monitor_back_initialize(
                        "SINGLE-VALUE "
                        "USAGE directoryOperation )", SLAP_AT_HIDE,
                        offsetof(monitor_info_t, mi_ad_monitorIsShadow) },
+               { "monitorUpdateRef", "( 1.3.6.1.4.1.4203.666.1.53 "
+                       "NAME 'monitorUpdateRef' "
+                       "DESC 'update referral for shadow databases' "
+                       "SUP monitoredInfo "
+                       "SINGLE-VALUE "
+                       "USAGE directoryOperation )", SLAP_AT_HIDE,
+                       offsetof(monitor_info_t, mi_ad_monitorUpdateRef) },
                { NULL, NULL, 0, -1 }
        };
        

diff --git a/servers/slapd/back-monitor/log.c b/servers/slapd/back-monitor/log.c
index 607b6354a4c0a51e02068436680d7797243cd4f9..d54b572ee78d818261023f3132121538d4e9b1ee 100644 (file)
--- a/servers/slapd/back-monitor/log.c
+++ b/servers/slapd/back-monitor/log.c
@@ -197,8 +197,8 @@ monitor_subsys_log_modify(
                }
 
                /* check that the entry still obeys the schema */
-               rc = entry_schema_check( be_monitor, e, save_attrs, 
-                               &text, textbuf, sizeof( textbuf ) );
+               rc = entry_schema_check( be_monitor, e, save_attrs, 0,
+                       &text, textbuf, sizeof( textbuf ) );
                if ( rc != LDAP_SUCCESS ) {
                        rs->sr_err = rc;
                        goto cleanup;

diff --git a/servers/slapd/back-sql/add.c b/servers/slapd/back-sql/add.c
index 03accfc5ea0f871b838d3293f2af69eccbacab34..cd2b5a6131f437b7497eecfa9532245ea964dc5a 100644 (file)
--- a/servers/slapd/back-sql/add.c
+++ b/servers/slapd/back-sql/add.c
@@ -91,11 +91,8 @@ backsql_modify_delete_all_values(
                backsql_PrintErrors( bi->sql_db_env, dbh, 
                                asth, rc );
 
-               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                       rs->sr_text = "SQL-backend error";
-                       return rs->sr_err = LDAP_OTHER;
-               }
-               return LDAP_SUCCESS;
+               rs->sr_text = "SQL-backend error";
+               return rs->sr_err = LDAP_OTHER;
        }
 
        rc = backsql_BindParamID( asth, 1, SQL_PARAM_INPUT, &e_id->eid_keyval );
@@ -109,12 +106,8 @@ backsql_modify_delete_all_values(
                                asth, rc );
                SQLFreeStmt( asth, SQL_DROP );
 
-               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                       rs->sr_text = "SQL-backend error";
-                       return rs->sr_err = LDAP_OTHER;
-               }
-
-               return LDAP_SUCCESS;
+               rs->sr_text = "SQL-backend error";
+               return rs->sr_err = LDAP_OTHER;
        }
                        
        rc = SQLExecute( asth );
@@ -127,12 +120,8 @@ backsql_modify_delete_all_values(
                                asth, rc );
                SQLFreeStmt( asth, SQL_DROP );
 
-               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                       rs->sr_text = "SQL-backend error";
-                       return rs->sr_err = LDAP_OTHER;
-               }
-
-               return LDAP_SUCCESS;
+               rs->sr_text = "SQL-backend error";
+               return rs->sr_err = LDAP_OTHER;
        }
 
        backsql_BindRowAsStrings( asth, &row );
@@ -161,12 +150,8 @@ backsql_modify_delete_all_values(
                                backsql_PrintErrors( bi->sql_db_env, dbh, 
                                                sth, rc );
 
-                               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                                       rs->sr_text = "SQL-backend error";
-                                       return rs->sr_err = LDAP_OTHER;
-                               }
-
-                               continue;
+                               rs->sr_text = "SQL-backend error";
+                               return rs->sr_err = LDAP_OTHER;
                        }
 
                        if ( BACKSQL_IS_DEL( at->bam_expect_return ) ) {
@@ -182,12 +167,8 @@ backsql_modify_delete_all_values(
                                                sth, rc );
                                        SQLFreeStmt( sth, SQL_DROP );
 
-                                       if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                                               rs->sr_text = "SQL-backend error";
-                                               return rs->sr_err = LDAP_OTHER;
-                                       }
-
-                                       continue;
+                                       rs->sr_text = "SQL-backend error";
+                                       return rs->sr_err = LDAP_OTHER;
                                }
 
                        } else {
@@ -205,12 +186,8 @@ backsql_modify_delete_all_values(
                                        sth, rc );
                                SQLFreeStmt( sth, SQL_DROP );
 
-                               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                                       rs->sr_text = "SQL-backend error";
-                                       return rs->sr_err = LDAP_OTHER;
-                               }
-
-                               continue;
+                               rs->sr_text = "SQL-backend error";
+                               return rs->sr_err = LDAP_OTHER;
                        }
 #ifdef BACKSQL_ARBITRARY_KEY
                        Debug( LDAP_DEBUG_TRACE,
@@ -240,12 +217,8 @@ backsql_modify_delete_all_values(
                                        sth, rc );
                                SQLFreeStmt( sth, SQL_DROP );
 
-                               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                                       rs->sr_text = "SQL-backend error";
-                                       return rs->sr_err = LDAP_OTHER;
-                               }
-
-                               continue;
+                               rs->sr_text = "SQL-backend error";
+                               return rs->sr_err = LDAP_OTHER;
                        }
         
                        Debug( LDAP_DEBUG_TRACE, 
@@ -267,21 +240,15 @@ backsql_modify_delete_all_values(
                                        /* SQL procedure executed fine 
                                         * but returned an error */
                                        rs->sr_err = BACKSQL_SANITIZE_ERROR( prc );
-                                       rs->sr_text = op->ora_e->e_name.bv_val;
-                                       SQLFreeStmt( sth, SQL_DROP );
-                                       return rs->sr_err;
 
                                } else {
                                        backsql_PrintErrors( bi->sql_db_env, dbh,
                                                        sth, rc );
-                                       if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) 
-                                       {
-                                               rs->sr_err = LDAP_OTHER;
-                                               rs->sr_text = op->ora_e->e_name.bv_val;
-                                               SQLFreeStmt( sth, SQL_DROP );
-                                               return rs->sr_err;
-                                       }
+                                       rs->sr_err = LDAP_OTHER;
                                }
+                               rs->sr_text = op->ora_e->e_name.bv_val;
+                               SQLFreeStmt( sth, SQL_DROP );
+                               return rs->sr_err;
                        }
                        SQLFreeStmt( sth, SQL_DROP );
                }
@@ -551,12 +518,10 @@ add_only:;
                                        backsql_PrintErrors( bi->sql_db_env,
                                                        dbh, sth, rc );
 
-                                       if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                                               SQLFreeStmt( sth, SQL_DROP );
-                                               rs->sr_err = LDAP_OTHER;
-                                               rs->sr_text = "SQL-backend error";
-                                               goto done;
-                                       }
+                                       SQLFreeStmt( sth, SQL_DROP );
+                                       rs->sr_err = LDAP_OTHER;
+                                       rs->sr_text = "SQL-backend error";
+                                       goto done;
                                }
                                SQLFreeStmt( sth, SQL_DROP );
                        }
@@ -676,11 +641,9 @@ add_only:;
                                                sth, rc );
                                        SQLFreeStmt( sth, SQL_DROP );
 
-                                       if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                                               rs->sr_text = "SQL-backend error";
-                                               rs->sr_err = LDAP_OTHER;
-                                               goto done;
-                                       }
+                                       rs->sr_text = "SQL-backend error";
+                                       rs->sr_err = LDAP_OTHER;
+                                       goto done;
                                }
 
                                Debug( LDAP_DEBUG_TRACE,
@@ -709,13 +672,10 @@ add_only:;
                                        } else {
                                                backsql_PrintErrors( bi->sql_db_env,
                                                                dbh, sth, rc );
-                                               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) )
-                                               {
-                                                       SQLFreeStmt( sth, SQL_DROP );
-                                                       rs->sr_err = LDAP_OTHER;
-                                                       rs->sr_text = at->bam_ad->ad_cname.bv_val;
-                                                       goto done;
-                                               }
+                                               SQLFreeStmt( sth, SQL_DROP );
+                                               rs->sr_err = LDAP_OTHER;
+                                               rs->sr_text = at->bam_ad->ad_cname.bv_val;
+                                               goto done;
                                        }
                                }
                                SQLFreeStmt( sth, SQL_DROP );
@@ -823,13 +783,8 @@ backsql_add_attr(
 
                rc = backsql_Prepare( dbh, &sth, at_rec->bam_add_proc, 0 );
                if ( rc != SQL_SUCCESS ) {
-
-                       if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                               rs->sr_text = "SQL-backend error";
-                               return rs->sr_err = LDAP_OTHER;
-                       }
-
-                       return LDAP_SUCCESS;
+                       rs->sr_text = "SQL-backend error";
+                       return rs->sr_err = LDAP_OTHER;
                }
 
                if ( BACKSQL_IS_ADD( at_rec->bam_expect_return ) ) {
@@ -844,12 +799,8 @@ backsql_add_attr(
                                        sth, rc );
                                SQLFreeStmt( sth, SQL_DROP );
 
-                               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                                       rs->sr_text = "SQL-backend error";
-                                       return rs->sr_err = LDAP_OTHER;
-                               }
-
-                               return LDAP_SUCCESS;
+                               rs->sr_text = "SQL-backend error";
+                               return rs->sr_err = LDAP_OTHER;
                        }
 
                } else {
@@ -869,12 +820,8 @@ backsql_add_attr(
                                sth, rc );
                        SQLFreeStmt( sth, SQL_DROP );
 
-                       if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                               rs->sr_text = "SQL-backend error";
-                               return rs->sr_err = LDAP_OTHER;
-                       }
-
-                       return LDAP_SUCCESS;
+                       rs->sr_text = "SQL-backend error";
+                       return rs->sr_err = LDAP_OTHER;
                }
 
                currpos = pno + 2 - po;
@@ -894,12 +841,8 @@ backsql_add_attr(
                                sth, rc );
                        SQLFreeStmt( sth, SQL_DROP );
 
-                       if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                               rs->sr_text = "SQL-backend error";
-                               return rs->sr_err = LDAP_OTHER;
-                       }
-
-                       return LDAP_SUCCESS;
+                       rs->sr_text = "SQL-backend error";
+                       return rs->sr_err = LDAP_OTHER;
                }
 
 #ifdef LDAP_DEBUG
@@ -930,12 +873,10 @@ backsql_add_attr(
                        } else {
                                backsql_PrintErrors( bi->sql_db_env, dbh,
                                                sth, rc );
-                               if ( BACKSQL_FAIL_IF_NO_MAPPING( bi ) ) {
-                                       rs->sr_err = LDAP_OTHER;
-                                       rs->sr_text = op->ora_e->e_name.bv_val;
-                                       SQLFreeStmt( sth, SQL_DROP );
-                                       return rs->sr_err;
-                               }
+                               rs->sr_err = LDAP_OTHER;
+                               rs->sr_text = op->ora_e->e_name.bv_val;
+                               SQLFreeStmt( sth, SQL_DROP );
+                               return rs->sr_err;
                        }
                }
                SQLFreeStmt( sth, SQL_DROP );
@@ -989,9 +930,8 @@ backsql_add( Operation *op, SlapReply *rs )
        if ( BACKSQL_CHECK_SCHEMA( bi ) ) {
                char            textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' };
 
-               rs->sr_err = entry_schema_check( op->o_bd, op->ora_e,
-                               NULL,
-                               &rs->sr_text, textbuf, sizeof( textbuf ) );
+               rs->sr_err = entry_schema_check( op->o_bd, op->ora_e, NULL, 0,
+                       &rs->sr_text, textbuf, sizeof( textbuf ) );
                if ( rs->sr_err != LDAP_SUCCESS ) {
                        Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
                                "entry failed schema check -- aborting\n",
@@ -1554,7 +1494,7 @@ done:;
        }
 
        if ( !BER_BVISNULL( &p.e_nname ) ) {
-               entry_clean( &p );
+               backsql_entry_clean( op, &p );
        }
 
        Debug( LDAP_DEBUG_TRACE, "<==backsql_add(\"%s\"): %d \"%s\"\n",

diff --git a/servers/slapd/back-sql/bind.c b/servers/slapd/back-sql/bind.c
index 5817d06af60eaaa9b1fc0dea4fd214ef3385a267..0bc12e5a24c7475f2dfdb53407c06f647258487d 100644 (file)
--- a/servers/slapd/back-sql/bind.c
+++ b/servers/slapd/back-sql/bind.c
@@ -106,7 +106,7 @@ error_return:;
        }
 
        if ( !BER_BVISNULL( &e.e_nname ) ) {
-               entry_clean( &e );
+               backsql_entry_clean( op, &e );
        }
 
        if ( bsi.bsi_attrs != NULL ) {

diff --git a/servers/slapd/back-sql/compare.c b/servers/slapd/back-sql/compare.c
index 4783714f148bd393ec4e1f429d5c9d1822911dc0..9baf9ff35d66d3cf016a40c0f3c240e12d61d579 100644 (file)
--- a/servers/slapd/back-sql/compare.c
+++ b/servers/slapd/back-sql/compare.c
@@ -181,7 +181,7 @@ return_results:;
        }
 
        if ( !BER_BVISNULL( &e.e_nname ) ) {
-               entry_clean( &e );
+               backsql_entry_clean( op, &e );
        }
 
        if ( bsi.bsi_attrs != NULL ) {

diff --git a/servers/slapd/back-sql/delete.c b/servers/slapd/back-sql/delete.c
index 5659541268adaae12a36f7d5779f72bf3deb0f09..e8bf7142c67983d7553822e750e2c3a47a7af888 100644 (file)
--- a/servers/slapd/back-sql/delete.c
+++ b/servers/slapd/back-sql/delete.c
@@ -474,11 +474,11 @@ done:;
        }
 
        if ( !BER_BVISNULL( &d.e_nname ) ) {
-               entry_clean( &d );
+               backsql_entry_clean( op, &d );
        }
 
        if ( !BER_BVISNULL( &p.e_nname ) ) {
-               entry_clean( &p );
+               backsql_entry_clean( op, &p );
        }
 
        return rs->sr_err;

diff --git a/servers/slapd/back-sql/entry-id.c b/servers/slapd/back-sql/entry-id.c
index 49d3346c7e5715d73f6dc1741ae93f60c057a98b..87aba87a7d1cda1109106c8c3de7474a248bef52 100644 (file)
--- a/servers/slapd/back-sql/entry-id.c
+++ b/servers/slapd/back-sql/entry-id.c
@@ -862,7 +862,7 @@ backsql_id2entry( backsql_srch_info *bsi, backsql_entryID *eid )
                        &bsi->bsi_oc->bom_oc->soc_cname,
                        bsi->bsi_op->o_tmpmemctx );
        if ( rc != LDAP_SUCCESS ) {
-               entry_clean( bsi->bsi_e );
+               backsql_entry_clean( op, bsi->bsi_e );
                return rc;
        }
 
@@ -966,7 +966,7 @@ next:;
                                        "structural_class() failed %d (%s)\n",
                                        bsi->bsi_e->e_name.bv_val,
                                        rc, text ? text : "" );
-                               entry_clean( bsi->bsi_e );
+                               backsql_entry_clean( op, bsi->bsi_e );
                                return rc;
                        }
 
@@ -977,7 +977,7 @@ next:;
                                        "to entry\n",
                                        bsi->bsi_e->e_name.bv_val, soc.bv_val,
                                        bsi->bsi_oc->bom_oc->soc_cname.bv_val );
-                               entry_clean( bsi->bsi_e );
+                               backsql_entry_clean( op, bsi->bsi_e );
                                return rc;
                        }
                }
@@ -987,7 +987,7 @@ next:;
                                &bsi->bsi_oc->bom_oc->soc_cname,
                                bsi->bsi_op->o_tmpmemctx );
                if ( rc != LDAP_SUCCESS ) {
-                       entry_clean( bsi->bsi_e );
+                       backsql_entry_clean( op, bsi->bsi_e );
                        return rc;
                }
        }

diff --git a/servers/slapd/back-sql/init.c b/servers/slapd/back-sql/init.c
index f3e744fe4bc1e698cf7aa06272407a0e05ec051f..cf0bebf73b95282f32b40d805184a295731892b3 100644 (file)
--- a/servers/slapd/back-sql/init.c
+++ b/servers/slapd/back-sql/init.c
@@ -74,6 +74,7 @@ sql_back_initialize(
        bi->bi_chk_referrals = 0;
        bi->bi_operational = backsql_operational;
        bi->bi_entry_get_rw = backsql_entry_get;
+       bi->bi_entry_release_rw = backsql_entry_release;
  
        bi->bi_connection_init = 0;
        bi->bi_connection_destroy = backsql_connection_destroy;

diff --git a/servers/slapd/back-sql/modify.c b/servers/slapd/back-sql/modify.c
index b75697a2d82765b148b56b81c9b28f771aa8b34c..623362a487852af522bb3c47bc62fe0033d8d076 100644 (file)
--- a/servers/slapd/back-sql/modify.c
+++ b/servers/slapd/back-sql/modify.c
@@ -158,7 +158,7 @@ backsql_modify( Operation *op, SlapReply *rs )
        if ( BACKSQL_CHECK_SCHEMA( bi ) ) {
                char            textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' };
 
-               entry_clean( &m );
+               backsql_entry_clean( op, &m );
 
                bsi.bsi_e = &m;
                rs->sr_err = backsql_id2entry( &bsi, &bsi.bsi_base_id );
@@ -167,9 +167,8 @@ backsql_modify( Operation *op, SlapReply *rs )
                        goto do_transact;
                }
 
-               rs->sr_err = entry_schema_check( op->o_bd, &m,
-                               NULL,
-                               &rs->sr_text, textbuf, sizeof( textbuf ) );
+               rs->sr_err = entry_schema_check( op->o_bd, &m, NULL, 0,
+                       &rs->sr_text, textbuf, sizeof( textbuf ) );
                if ( rs->sr_err != LDAP_SUCCESS ) {
                        Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
                                "entry failed schema check -- aborting\n",
@@ -213,7 +212,7 @@ done:;
        }
 
        if ( !BER_BVISNULL( &m.e_nname ) ) {
-               entry_clean( &m );
+               backsql_entry_clean( op, &m );
        }
 
        if ( bsi.bsi_attrs != NULL ) {

diff --git a/servers/slapd/back-sql/modrdn.c b/servers/slapd/back-sql/modrdn.c
index 7c6c36baeae093deb76b9ad86e3539dd4dc79364..ce904498e2ef75106df5f3cdb4896642d09415d6 100644 (file)
--- a/servers/slapd/back-sql/modrdn.c
+++ b/servers/slapd/back-sql/modrdn.c
@@ -449,7 +449,7 @@ backsql_modrdn( Operation *op, SlapReply *rs )
        if ( BACKSQL_CHECK_SCHEMA( bi ) ) {
                char            textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' };
 
-               entry_clean( &r );
+               backsql_entry_clean( op, &r );
                (void)backsql_free_entryID( op, &e_id, 0 );
 
                bsi.bsi_e = &r;
@@ -495,9 +495,8 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 
                e_id = bsi.bsi_base_id;
 
-               rs->sr_err = entry_schema_check( op->o_bd, &r,
-                               NULL,
-                               &rs->sr_text, textbuf, sizeof( textbuf ) );
+               rs->sr_err = entry_schema_check( op->o_bd, &r, NULL, 0,
+                       &rs->sr_text, textbuf, sizeof( textbuf ) );
                if ( rs->sr_err != LDAP_SUCCESS ) {
                        Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
                                "entry failed schema check -- aborting\n",
@@ -575,15 +574,15 @@ done:;
        }
 
        if ( !BER_BVISNULL( &r.e_nname ) ) {
-               entry_clean( &r );
+               backsql_entry_clean( op, &r );
        }
 
        if ( !BER_BVISNULL( &p.e_nname ) ) {
-               entry_clean( &p );
+               backsql_entry_clean( op, &p );
        }
 
        if ( !BER_BVISNULL( &n.e_nname ) ) {
-               entry_clean( &n );
+               backsql_entry_clean( op, &n );
        }
 
        Debug( LDAP_DEBUG_TRACE, "<==backsql_modrdn()\n", 0, 0, 0 );

diff --git a/servers/slapd/back-sql/proto-sql.h b/servers/slapd/back-sql/proto-sql.h
index 8019284223d1e0e0712fcc321fbfe705c86273c4..4cdc28d20273b246c495165e8b7ae6f6eddf658c 100644 (file)
--- a/servers/slapd/back-sql/proto-sql.h
+++ b/servers/slapd/back-sql/proto-sql.h
@@ -169,6 +169,8 @@ int backsql_init_search( backsql_srch_info *bsi,
                Operation *op, SlapReply *rs, AttributeName *attrs,
                unsigned flags );
 
+void backsql_entry_clean( Operation *op, Entry *e );
+
 /*
  * sql-wrap.h
  */
@@ -283,6 +285,7 @@ extern BI_op_delete         backsql_delete;
 
 extern BI_operational          backsql_operational;
 extern BI_entry_get_rw         backsql_entry_get;
+extern BI_entry_release_rw     backsql_entry_release;
 
 extern BI_connection_destroy   backsql_connection_destroy;
 

diff --git a/servers/slapd/back-sql/rdbms_depend/pgsql/backsql_drop.sql b/servers/slapd/back-sql/rdbms_depend/pgsql/backsql_drop.sql
index 49e7e3acd15294e2d775ccf643d6bfeffbbcf096..eff0a9ef530cef949b6901f2626f06d2ca302b4e 100644 (file)
--- a/servers/slapd/back-sql/rdbms_depend/pgsql/backsql_drop.sql
+++ b/servers/slapd/back-sql/rdbms_depend/pgsql/backsql_drop.sql
@@ -1,4 +1,3 @@
-DROP TABLE ldap_referrals;
 DROP TABLE ldap_entry_objclasses;
 DROP TABLE ldap_attr_mappings;
 DROP TABLE ldap_entries;

diff --git a/servers/slapd/back-sql/rdbms_depend/pgsql/testdb_drop.sql b/servers/slapd/back-sql/rdbms_depend/pgsql/testdb_drop.sql
index 17b12afd425fd0c5f9fbf92dbe4d6674c7f35741..908cd44123a13aa1a70d358d341785cc05b2f8f9 100644 (file)
--- a/servers/slapd/back-sql/rdbms_depend/pgsql/testdb_drop.sql
+++ b/servers/slapd/back-sql/rdbms_depend/pgsql/testdb_drop.sql
@@ -3,3 +3,4 @@ DROP TABLE institutes;
 DROP TABLE documents;
 DROP TABLE authors_docs;
 DROP TABLE phones;
+DROP TABLE referrals;

diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
index da3cea0d21fd9aa791a236147ed1a300dd15974c..98f0041501becd6d7d1637172eb5cfddfbf8101b 100644 (file)
--- a/servers/slapd/back-sql/search.c
+++ b/servers/slapd/back-sql/search.c
@@ -2096,7 +2096,7 @@ backsql_search( Operation *op, SlapReply *rs )
                                        } else {
                                                rs->sr_err = LDAP_OTHER;
                                        }
-                                       entry_clean( &user_entry2 );
+                                       backsql_entry_clean( op, &user_entry2 );
                                }
                                if ( bsi2.bsi_attrs != NULL ) {
                                        op->o_tmpfree( bsi2.bsi_attrs,
@@ -2218,7 +2218,7 @@ backsql_search( Operation *op, SlapReply *rs )
 
 next_entry:;
                if ( e == &user_entry ) {
-                       entry_clean( &user_entry );
+                       backsql_entry_clean( op, &user_entry );
                }
 
 next_entry2:;
@@ -2245,10 +2245,10 @@ send_results:;
                send_ldap_result( op, rs );
        }
 
-       entry_clean( &base_entry );
+       backsql_entry_clean( op, &base_entry );
 
        /* in case we got here accidentally */
-       entry_clean( &user_entry );
+       backsql_entry_clean( op, &user_entry );
 
        if ( rs->sr_v2ref ) {
                ber_bvarray_free( rs->sr_v2ref );
@@ -2390,3 +2390,39 @@ return_results:;
        return rc;
 }
 
+void
+backsql_entry_clean(
+               Operation       *op,
+               Entry           *e )
+{
+       void *ctx;
+
+       ctx = ldap_pvt_thread_pool_context();
+
+       if ( ctx == NULL || ctx != op->o_tmpmemctx ) {
+               if ( !BER_BVISNULL( &e->e_name ) ) {
+                       op->o_tmpfree( e->e_name.bv_val, op->o_tmpmemctx );
+                       BER_BVZERO( &e->e_name );
+               }
+
+               if ( !BER_BVISNULL( &e->e_nname ) ) {
+                       op->o_tmpfree( e->e_nname.bv_val, op->o_tmpmemctx );
+                       BER_BVZERO( &e->e_nname );
+               }
+       }
+
+       entry_clean( e );
+}
+
+int
+backsql_entry_release(
+               Operation       *op,
+               Entry           *e,
+               int             rw )
+{
+       backsql_entry_clean( op, e );
+
+       ch_free( e );
+
+       return 0;
+}

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 17a92e79aaa8f1b02c5bbc0a2a47c082104de706..4552a6ac1c6d4ff3a7397c5725e211e229e29153 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -98,8 +98,7 @@ int backend_init(void)
                return -1;
        }
 
-       for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ )
-       {
+       for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ ) {
                assert( bi->bi_init );
 
                rc = bi->bi_init( bi );
@@ -821,18 +820,18 @@ backend_check_controls(
                                break;
 
                        case LDAP_COMPARE_FALSE:
-                               if ( !op->o_bd->be_ctrls[ cid ] )
-                               {
+                               if ( !op->o_bd->be_ctrls[cid] && (*ctrls)->ldctl_iscritical ) {
                                        /* Per RFC 2251 (and LDAPBIS discussions), if the control
                                         * is recognized and appropriate for the operation (which
                                         * we've already verified), then the server should make
                                         * use of the control when performing the operation.
                                         * 
                                         * Here we find that operation extended by the control
-                                        * is not unavailable in a particular context, hence the
-                                        * return of unwillingToPerform.
+                                        * is unavailable in a particular context, and the control
+                                        * is marked Critical, hence the return of
+                                        * unwillingToPerform.
                                         */
-                                       rs->sr_text = "control unavailable in context";
+                                       rs->sr_text = "critical control unavailable in context";
                                        rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
                                        goto done;
                                }
@@ -843,6 +842,11 @@ backend_check_controls(
 
                        default:
                                /* unreachable */
+                               Debug( LDAP_DEBUG_ANY,
+                                       "backend_check_controls: unable to check control: %s\n",
+                                       (*ctrls)->ldctl_oid, 0, 0 );
+                               assert( 0 );
+
                                rs->sr_text = "unable to check control";
                                rs->sr_err = LDAP_OTHER;
                                goto done;
@@ -850,6 +854,12 @@ backend_check_controls(
                }
        }
 
+       /* check should be generalized */
+       if( get_manageDIT(op) && !be_isroot(op)) {
+               rs->sr_text = "requires manager authorization";
+               rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+       }
+
 done:;
        return rs->sr_err;
 }

diff --git a/servers/slapd/backover.c b/servers/slapd/backover.c
index 599899ff857d16a213da881e5d11d56ab2a7b2c0..0e8b0c27ac58f523020a917bb563462b07cf2884 100644 (file)
--- a/servers/slapd/backover.c
+++ b/servers/slapd/backover.c
@@ -72,12 +72,14 @@ over_db_config(
        slap_overinfo *oi = be->bd_info->bi_private;
        slap_overinst *on = oi->oi_list;
        BackendInfo *bi_orig = be->bd_info;
+       struct ConfigOCs *be_cf_ocs = be->be_cf_ocs;
        ConfigArgs ca = {0};
        ConfigTable *ct;
        int rc = 0;
 
        if ( oi->oi_orig->bi_db_config ) {
                be->bd_info = oi->oi_orig;
+               be->be_cf_ocs = oi->oi_orig->bi_cf_ocs;
                rc = oi->oi_orig->bi_db_config( be, fname, lineno,
                        argc, argv );
 
@@ -149,6 +151,8 @@ over_db_config(
                }
        }
        be->bd_info = bi_orig;
+       be->be_cf_ocs = be_cf_ocs;
+       
        return rc;
 }
 

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 2d41de9bdead0de746ac3f5c4972eac4d32b5816..fc600772ea65aa764f9cd738270ba62cfe8d8b38 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -90,8 +90,8 @@ static ConfigFile cf_prv, *cfn = &cf_prv;
 
 static Avlnode *CfOcTree;
 
-static int config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs,
-       int *renumber );
+static int config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca,
+       SlapReply *rs, int *renumber );
 
 static ConfigDriver config_fname;
 static ConfigDriver config_cfdir;
@@ -234,7 +234,7 @@ static ConfigTable config_back_cf_table[] = {
                &config_generic, "( OLcfgGlAt:5 NAME 'olcAttributeOptions' "
                        "EQUALITY caseIgnoreMatch "
                        "SYNTAX OMsDirectoryString )", NULL, NULL },
-       { "authid-rewrite", NULL, 2, 0, 0,
+       { "authid-rewrite", NULL, 2, 0, STRLENOF( "authid-rewrite" ),
 #ifdef SLAP_AUTH_REWRITE
                ARG_MAGIC|CFG_REWRITE|ARG_NO_INSERT, &config_generic,
 #else
@@ -968,11 +968,14 @@ config_generic(ConfigArgs *c) {
                                c->be = LDAP_STAILQ_FIRST(&backendDB);
                        } else if ( !strcasecmp( c->argv[1], "frontend" )) {
                                c->be = frontendDB;
-                       } else if(!(c->be = backend_db_init(c->argv[1]))) {
-                               sprintf( c->msg, "<%s> failed init", c->argv[0] );
-                               Debug(LDAP_DEBUG_ANY, "%s: %s (%s)!\n",
-                                       c->log, c->msg, c->argv[1] );
-                               return(1);
+                       } else {
+                               c->be = backend_db_init(c->argv[1]);
+                               if ( !c->be ) {
+                                       sprintf( c->msg, "<%s> failed init", c->argv[0] );
+                                       Debug(LDAP_DEBUG_ANY, "%s: %s (%s)!\n",
+                                               c->log, c->msg, c->argv[1] );
+                                       return(1);
+                               }
                        }
                        break;
 
@@ -1207,9 +1210,27 @@ config_generic(ConfigArgs *c) {
 #ifdef SLAP_AUTH_REWRITE
                case CFG_REWRITE: {
                        struct berval bv;
+                       char *line;
+                       
                        if(slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv))
                                return(1);
-                       ber_str2bv( c->line, 0, 1, &bv );
+
+                       if ( c->argc > 1 ) {
+                               char    *s;
+
+                               /* quote all args but the first */
+                               line = ldap_charray2str( c->argv, "\" \"" );
+                               ber_str2bv( line, 0, 0, &bv );
+                               s = strchr( bv.bv_val, '"' );
+                               assert( s != NULL );
+                               /* move the trailing quote of argv[0] to the end */
+                               AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
+                               bv.bv_val[ bv.bv_len - 1 ] = '"';
+
+                       } else {
+                               ber_str2bv( c->argv[ 0 ], 0, 1, &bv );
+                       }
+                       
                        ber_bvarray_add( &authz_rewrites, &bv );
                        }
                        break;
@@ -2374,14 +2395,19 @@ config_find_base( CfEntryInfo *root, struct berval *dn, CfEntryInfo **last )
        return root;
 }
 
+typedef struct setup_cookie {
+       CfBackInfo *cfb;
+       ConfigArgs *ca;
+} setup_cookie;
+
 static int
 config_ldif_resp( Operation *op, SlapReply *rs )
 {
        if ( rs->sr_type == REP_SEARCH ) {
-               CfBackInfo *cfb = op->o_callback->sc_private;
+               setup_cookie *sc = op->o_callback->sc_private;
 
-               cfb->cb_got_ldif = 1;
-               rs->sr_err = config_add_internal( cfb, rs->sr_entry, NULL, NULL );
+               sc->cfb->cb_got_ldif = 1;
+               rs->sr_err = config_add_internal( sc->cfb, rs->sr_entry, sc->ca, NULL, NULL );
        }
        return rs->sr_err;
 }
@@ -2394,6 +2420,7 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) {
        ConfigTable *ct;
        char *argv[3];
        int rc = 0;
+       setup_cookie sc;
        slap_callback cb = { NULL, config_ldif_resp, NULL, NULL };
        Connection conn = {0};
        char opbuf[OPERATION_BUFFER_SIZE];
@@ -2470,7 +2497,9 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) {
                op->ors_attrsonly = 0;
 
                op->o_callback = &cb;
-               cb.sc_private = cfb;
+               sc.cfb = cfb;
+               sc.ca = &c;
+               cb.sc_private = &sc;
 
                op->o_bd = &cfb->cb_db;
                rc = op->o_bd->be_search( op, &rs );
@@ -2549,8 +2578,10 @@ read_config(const char *fname, const char *dir) {
                        return 1;
 
                /* If we read the config from back-ldif, nothing to do here */
-               if ( cfb->cb_got_ldif )
-                       return 0;
+               if ( cfb->cb_got_ldif ) {
+                       rc = 0;
+                       goto done;
+               }
        }
 
        if ( fname )
@@ -2581,6 +2612,20 @@ read_config(const char *fname, const char *dir) {
                }
                break;
        }
+
+done:
+       if ( rc == 0 && BER_BVISNULL( &frontendDB->be_schemadn ) ) {
+               ber_str2bv( SLAPD_SCHEMA_DN, STRLENOF( SLAPD_SCHEMA_DN ), 1,
+                       &frontendDB->be_schemadn );
+               rc = dnNormalize( 0, NULL, NULL, &frontendDB->be_schemadn, &frontendDB->be_schemandn, NULL );
+               if ( rc != LDAP_SUCCESS ) {
+                       Debug(LDAP_DEBUG_ANY, "read_config: "
+                               "unable to normalize default schema DN \"%s\"\n",
+                               frontendDB->be_schemadn.bv_val, 0, 0 );
+                       /* must not happen */
+                       assert( 0 );
+               }
+       }
        return rc;
 }
 
@@ -2962,13 +3007,12 @@ cfAddOverlay( CfEntryInfo *p, Entry *e, struct config_args_s *ca )
 
 /* Parse an LDAP entry into config directives */
 static int
-config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs, int *renum )
+config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, int *renum )
 {
        CfEntryInfo *ce, *last;
        ConfigOCs **colst;
        Attribute *a, *oc_at;
        int i, j, nocs, rc = 0;
-       ConfigArgs ca = {0};
        struct berval pdn;
        ConfigTable *ct;
        char *ptr;
@@ -2992,15 +3036,17 @@ config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs, int *renum )
        oc_at = attr_find( e->e_attrs, slap_schema.si_ad_objectClass );
        if ( !oc_at ) return LDAP_OBJECT_CLASS_VIOLATION;
 
+       memset( ca, 0, sizeof(ConfigArgs));
+
        /* Fake the coordinates based on whether we're part of an
         * LDAP Add or if reading the config dir
         */
        if ( rs ) {
-               ca.fname = "slapd";
-               ca.lineno = 0;
+               ca->fname = "slapd";
+               ca->lineno = 0;
        } else {
-               ca.fname = cfdir.bv_val;
-               ca.lineno = 1;
+               ca->fname = cfdir.bv_val;
+               ca->lineno = 1;
        }
 
        colst = count_ocs( oc_at, &nocs );
@@ -3011,8 +3057,8 @@ config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs, int *renum )
        rc = LDAP_CONSTRAINT_VIOLATION;
        if ( colst[0]->co_type == Cft_Global && !last ) {
                cfn = &cf_prv;
-               ca.private = cfn;
-               ca.be = frontendDB;     /* just to get past check_vals */
+               ca->private = cfn;
+               ca->be = frontendDB;    /* just to get past check_vals */
                rc = LDAP_SUCCESS;
        }
 
@@ -3022,7 +3068,7 @@ config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs, int *renum )
        if ( last ) {
                for ( i=0; i<nocs; i++ ) {
                        if ( colst[i]->co_ldadd &&
-                               ( rc = colst[i]->co_ldadd( last, e, &ca ))
+                               ( rc = colst[i]->co_ldadd( last, e, ca ))
                                        != LDAP_CONSTRAINT_VIOLATION ) {
                                break;
                        }
@@ -3058,7 +3104,7 @@ config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs, int *renum )
        if ( rc )
                goto leave;
 
-       init_config_argv( &ca );
+       init_config_argv( ca );
 
        /* Make sure we process attrs in the required order */
        sort_attrs( e, colst, nocs );
@@ -3067,7 +3113,7 @@ config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs, int *renum )
                if ( a == oc_at ) continue;
                ct = config_find_table( colst, nocs, a->a_desc );
                if ( !ct ) continue;    /* user data? */
-               rc = check_vals( ct, &ca, a, 1 );
+               rc = check_vals( ct, ca, a, 1 );
                if ( rc ) goto leave;
        }
 
@@ -3077,13 +3123,13 @@ config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs, int *renum )
                ct = config_find_table( colst, nocs, a->a_desc );
                if ( !ct ) continue;    /* user data? */
                for (i=0; a->a_vals[i].bv_val; i++) {
-                       ca.line = a->a_vals[i].bv_val;
+                       ca->line = a->a_vals[i].bv_val;
                        if ( a->a_desc->ad_type->sat_flags & SLAP_AT_ORDERED ) {
-                               ptr = strchr( ca.line, '}' );
-                               if ( ptr ) ca.line = ptr+1;
+                               ptr = strchr( ca->line, '}' );
+                               if ( ptr ) ca->line = ptr+1;
                        }
-                       ca.valx = i;
-                       rc = config_parse_add( ct, &ca );
+                       ca->valx = i;
+                       rc = config_parse_add( ct, ca );
                        if ( rc ) {
                                rc = LDAP_OTHER;
                                goto leave;
@@ -3091,14 +3137,36 @@ config_add_internal( CfBackInfo *cfb, Entry *e, SlapReply *rs, int *renum )
                }
        }
 ok:
+       /* Newly added databases and overlays need to be started up */
+       if ( CONFIG_ONLINE_ADD( ca )) {
+               if ( colst[0]->co_type == Cft_Database ) {
+                       rc = backend_startup_one( ca->be );
+
+               } else if ( colst[0]->co_type == Cft_Overlay ) {
+                       if ( ca->bi->bi_db_open ) {
+                               BackendInfo *bi_orig = ca->be->bd_info;
+                               ca->be->bd_info = ca->bi;
+                               rc = ca->bi->bi_db_open( ca->be );
+                               ca->be->bd_info = bi_orig;
+                       }
+               }
+               if ( rc ) {
+                       sprintf( ca->msg, "<%s> failed startup", ca->argv[0] );
+                       Debug(LDAP_DEBUG_ANY, "%s: %s (%s)!\n",
+                               ca->log, ca->msg, ca->argv[1] );
+                       rc = LDAP_OTHER;
+                       goto leave;
+               }
+       }
+
        ce = ch_calloc( 1, sizeof(CfEntryInfo) );
        ce->ce_parent = last;
        ce->ce_entry = entry_dup( e );
        ce->ce_entry->e_private = ce;
        ce->ce_type = colst[0]->co_type;
-       ce->ce_be = ca.be;
-       ce->ce_bi = ca.bi;
-       ce->ce_private = ca.private;
+       ce->ce_be = ca->be;
+       ce->ce_bi = ca->bi;
+       ce->ce_private = ca->private;
        if ( !last ) {
                cfb->cb_root = ce;
        } else if ( last->ce_kids ) {
@@ -3112,7 +3180,7 @@ ok:
        }
 
 leave:
-       ch_free( ca.argv );
+       ch_free( ca->argv );
        if ( colst ) ch_free( colst );
        return rc;
 }
@@ -3126,6 +3194,7 @@ config_back_add( Operation *op, SlapReply *rs )
        CfBackInfo *cfb;
        CfEntryInfo *ce, *last;
        int renumber;
+       ConfigArgs ca;
 
        if ( !be_isroot( op ) ) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
@@ -3143,8 +3212,10 @@ config_back_add( Operation *op, SlapReply *rs )
         * 4) store entry in underlying database
         * 5) perform any necessary renumbering
         */
-       rs->sr_err = config_add_internal( cfb, op->ora_e, rs, &renumber );
-       if ( rs->sr_err == LDAP_SUCCESS && cfb->cb_use_ldif ) {
+       rs->sr_err = config_add_internal( cfb, op->ora_e, &ca, rs, &renumber );
+       if ( rs->sr_err != LDAP_SUCCESS ) {
+               rs->sr_text = ca.msg;
+       } else if ( cfb->cb_use_ldif ) {
                BackendDB *be = op->o_bd;
                slap_callback sc = { NULL, slap_null_cb, NULL, NULL };
                op->o_bd = &cfb->cb_db;
@@ -3167,7 +3238,7 @@ out:
 typedef struct delrec {
        struct delrec *next;
        int nidx;
-       int idx[0];
+       int idx[1];
 } delrec;
 
 static int
@@ -3226,7 +3297,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
                        if ( ct && ml->sml_values ) {
                                delrec *d;
                                for (i=0; ml->sml_values[i].bv_val; i++);
-                               d = ch_malloc( sizeof(delrec) + i * sizeof(int));
+                               d = ch_malloc( sizeof(delrec) + (i - 1)* sizeof(int));
                                d->nidx = i;
                                d->next = NULL;
                                if ( dels ) {
@@ -3305,7 +3376,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
        
        if(rc == LDAP_SUCCESS) {
                /* check that the entry still obeys the schema */
-               rc = entry_schema_check(op->o_bd, e, NULL,
+               rc = entry_schema_check(op->o_bd, e, NULL, 0,
                        &rs->sr_text, ca->msg, sizeof(ca->msg) );
        }
        if ( rc == LDAP_SUCCESS ) {
@@ -4003,9 +4074,10 @@ config_tool_entry_put( BackendDB *be, Entry *e, struct berval *text )
 {
        CfBackInfo *cfb = be->be_private;
        BackendInfo *bi = cfb->cb_db.bd_info;
+       ConfigArgs ca;
 
        if ( bi && bi->bi_tool_entry_put &&
-               config_add_internal( cfb, e, NULL, NULL ) == 0 )
+               config_add_internal( cfb, e, &ca, NULL, NULL ) == 0 )
                return bi->bi_tool_entry_put( &cfb->cb_db, e, text );
        else
                return NOID;

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 851fdae3b9d77d0234b7f6c86a78dc30a5f0b3dd..980e2ab105cb38b1010798cf84938dfd53d01917 100644 (file)
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -686,18 +686,6 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf, ConfigTable *cft)
                }
        }
 
-       if ( BER_BVISNULL( &frontendDB->be_schemadn ) ) {
-               ber_str2bv( SLAPD_SCHEMA_DN, STRLENOF( SLAPD_SCHEMA_DN ), 1,
-                       &frontendDB->be_schemadn );
-               rc = dnNormalize( 0, NULL, NULL, &frontendDB->be_schemadn, &frontendDB->be_schemandn, NULL );
-               if ( rc != LDAP_SUCCESS ) {
-                       Debug(LDAP_DEBUG_ANY, "%s: "
-                               "unable to normalize default schema DN \"%s\"\n",
-                               c->log, frontendDB->be_schemadn.bv_val, 0 );
-                       /* must not happen */
-                       assert( 0 );
-               }
-       }
        rc = 0;
 
 leave:
@@ -745,6 +733,21 @@ mask_to_verbs(slap_verbmasks *v, slap_mask_t m, BerVarray *bva) {
        return 0;
 }
 
+int
+enum_to_verb(slap_verbmasks *v, slap_mask_t m, struct berval *bv) {
+       int i;
+
+       for (i=0; !BER_BVISNULL(&v[i].word); i++) {
+               if ( m == v[i].mask ) {
+                       if ( bv != NULL ) {
+                               *bv = v[i].word;
+                       }
+                       return i;
+               }
+       }
+       return -1;
+}
+
 static slap_verbmasks tlskey[] = {
        { BER_BVC("no"),        SB_TLS_OFF },
        { BER_BVC("yes"),       SB_TLS_ON },
@@ -753,9 +756,7 @@ static slap_verbmasks tlskey[] = {
 };
 
 static slap_verbmasks methkey[] = {
-#if 0
        { BER_BVC("none"),      LDAP_AUTH_NONE },
-#endif
        { BER_BVC("simple"),    LDAP_AUTH_SIMPLE },
 #ifdef HAVE_CYRUS_SASL
        { BER_BVC("sasl"),      LDAP_AUTH_SASL },

diff --git a/servers/slapd/config.h b/servers/slapd/config.h
index 47badfe7a392d86408b7e831361c34f59edc53ff..bee94817e22d63637206403a34546d2f12013c66 100644 (file)
--- a/servers/slapd/config.h
+++ b/servers/slapd/config.h
@@ -139,6 +139,11 @@ typedef struct config_args_s {
        ConfigDriver *cleanup;
 } ConfigArgs;
 
+/* If lineno is zero, we have an actual LDAP Add request from a client.
+ * Otherwise, we're reading a config file or a config dir.
+ */
+#define CONFIG_ONLINE_ADD(ca)  (!((ca)->lineno))
+
 #define value_int values.v_int
 #define value_long values.v_long
 #define value_ber_t values.v_ber_t

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 252912b22f8f22cd82332ff3fbc8dee769f73125..5699329c6efa64eb0c135f62086310cff94d8831 100644 (file)
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -28,6 +28,9 @@ static SLAP_CTRL_PARSE_FN parseAssert;
 static SLAP_CTRL_PARSE_FN parsePreRead;
 static SLAP_CTRL_PARSE_FN parsePostRead;
 static SLAP_CTRL_PARSE_FN parseProxyAuthz;
+#ifdef LDAP_DEVEL
+static SLAP_CTRL_PARSE_FN parseManageDIT;
+#endif
 static SLAP_CTRL_PARSE_FN parseManageDSAit;
 static SLAP_CTRL_PARSE_FN parseModifyIncrement;
 static SLAP_CTRL_PARSE_FN parseNoOp;
@@ -160,6 +163,12 @@ static struct slap_control control_defs[] = {
                (int)offsetof(struct slap_control_ids, sc_modifyIncrement),
                SLAP_CTRL_HIDE|SLAP_CTRL_MODIFY, NULL,
                parseModifyIncrement, LDAP_SLIST_ENTRY_INITIALIZER(next) },
+#endif
+#ifdef LDAP_DEVEL
+       { LDAP_CONTROL_MANAGEDIT,
+               (int)offsetof(struct slap_control_ids, sc_manageDIT),
+               SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE, NULL,
+               parseManageDIT, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 #endif
        { LDAP_CONTROL_MANAGEDSAIT,
                (int)offsetof(struct slap_control_ids, sc_manageDSAit),
@@ -405,8 +414,8 @@ slap_global_control( Operation *op, const char *oid, int *cid )
        if ( cid ) *cid = ctrl->sc_cid;
 
        if ( ( ctrl->sc_mask & SLAP_CTRL_GLOBAL ) ||
-                       ( ( op->o_tag & LDAP_REQ_SEARCH ) &&
-                       ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) )
+               ( ( op->o_tag & LDAP_REQ_SEARCH ) &&
+               ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) )
        {
                return LDAP_COMPARE_TRUE;
        }
@@ -710,6 +719,30 @@ static int parseModifyIncrement (
        return LDAP_SUCCESS;
 }
 
+#ifdef LDAP_DEVEL
+static int parseManageDIT (
+       Operation *op,
+       SlapReply *rs,
+       LDAPControl *ctrl )
+{
+       if ( op->o_managedit != SLAP_CONTROL_NONE ) {
+               rs->sr_text = "manageDIT control specified multiple times";
+               return LDAP_PROTOCOL_ERROR;
+       }
+
+       if ( ctrl->ldctl_value.bv_len ) {
+               rs->sr_text = "manageDIT control value not empty";
+               return LDAP_PROTOCOL_ERROR;
+       }
+
+       op->o_managedit = ctrl->ldctl_iscritical
+               ? SLAP_CONTROL_CRITICAL
+               : SLAP_CONTROL_NONCRITICAL;
+
+       return LDAP_SUCCESS;
+}
+#endif
+
 static int parseManageDSAit (
        Operation *op,
        SlapReply *rs,

diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c
index f80cebdf66a833066b535c764fdac3ac89343c70..77b0d5013a2a630dd7fc6559227788b7b3ae77dd 100644 (file)
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@@ -187,7 +187,7 @@ do_modify(
        }
 
        rs->sr_err = slap_mods_check( modlist, &rs->sr_text,
-                       textbuf, textlen, NULL );
+               textbuf, textlen, NULL );
 
        if ( rs->sr_err != LDAP_SUCCESS ) {
                send_ldap_result( op, rs );
@@ -226,6 +226,8 @@ fe_op_modify( Operation *op, SlapReply *rs )
        int             increment = op->orm_increment;
        int             rc = 0;
        BackendDB *op_be;
+       char            textbuf[ SLAP_TEXT_BUFLEN ];
+       size_t          textlen = sizeof( textbuf );
        
        if( op->o_req_ndn.bv_len == 0 ) {
                Debug( LDAP_DEBUG_ANY, "do_modify: root dse!\n", 0, 0, 0 );
@@ -348,6 +350,15 @@ fe_op_modify( Operation *op, SlapReply *rs )
                goto cleanup;
        }
 
+       {
+               rs->sr_err = slap_mods_obsolete_check( op, modlist,
+                       &rs->sr_text, textbuf, textlen );
+               if ( rs->sr_err != LDAP_SUCCESS ) {
+                       send_ldap_result( op, rs );
+                       goto cleanup;
+               }
+       }
+
        /* check for modify/increment support */
        if( increment && !SLAP_INCREMENT( op->o_bd ) ) {
                send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
@@ -427,23 +438,19 @@ fe_op_modify( Operation *op, SlapReply *rs )
 #endif
                {
                        int             update = !BER_BVISEMPTY( &op->o_bd->be_update_ndn );
-                       char            textbuf[ SLAP_TEXT_BUFLEN ];
-                       size_t          textlen = sizeof( textbuf );
                        slap_callback   cb = { NULL, slap_replog_cb, NULL, NULL };
 
                        op->o_bd = op_be;
 
                        if ( !update ) {
-                               rs->sr_err = slap_mods_no_update_check( modlist,
-                                               &rs->sr_text, textbuf, textlen );
+                               rs->sr_err = slap_mods_no_user_mod_check( op, modlist,
+                                       &rs->sr_text, textbuf, textlen );
                                if ( rs->sr_err != LDAP_SUCCESS ) {
                                        send_ldap_result( op, rs );
                                        goto cleanup;
                                }
                        }
 
-
-
                        if ( !repl_user ) {
                                for( modtail = &modlist;
                                        *modtail != NULL;
@@ -521,20 +528,30 @@ cleanup:;
 }
 
 /*
- * Do non-update constraint checking.
+ * Obsolete constraint checking.
  */
 int
-slap_mods_no_update_check(
+slap_mods_obsolete_check(
+       Operation *op,
        Modifications *ml,
        const char **text,
        char *textbuf,
        size_t textlen )
 {
+       if( get_manageDIT( op ) ) return LDAP_SUCCESS;
+
        for ( ; ml != NULL; ml = ml->sml_next ) {
-               if ( is_at_no_user_mod( ml->sml_desc->ad_type ) ) {
-                       /* user modification disallowed */
+               if ( is_at_obsolete( ml->sml_desc->ad_type ) &&
+                       (( ml->sml_op != LDAP_MOD_REPLACE &&
+                               ml->sml_op != LDAP_MOD_DELETE ) ||
+                                       ml->sml_values != NULL ))
+               {
+                       /*
+                        * attribute is obsolete,
+                        * only allow replace/delete with no values
+                        */
                        snprintf( textbuf, textlen,
-                               "%s: no user modification allowed",
+                               "%s: attribute is obsolete",
                                ml->sml_type.bv_val );
                        *text = textbuf;
                        return LDAP_CONSTRAINT_VIOLATION;
@@ -544,6 +561,44 @@ slap_mods_no_update_check(
        return LDAP_SUCCESS;
 }
 
+/*
+ * No-user-modification constraint checking.
+ */
+int
+slap_mods_no_user_mod_check(
+       Operation *op,
+       Modifications *ml,
+       const char **text,
+       char *textbuf,
+       size_t textlen )
+{
+       for ( ; ml != NULL; ml = ml->sml_next ) {
+               if ( !is_at_no_user_mod( ml->sml_desc->ad_type ) ) continue;
+
+               if( get_manageDIT( op )) {
+                       if ( ml->sml_desc->ad_type->sat_flags & SLAP_AT_MANAGEABLE ) {
+                               continue;
+                       }
+
+                       /* attribute not manageable */
+                       snprintf( textbuf, textlen,
+                               "%s: no-user-modification attribute not manageable",
+                               ml->sml_type.bv_val );
+
+               } else {
+                       /* user modification disallowed */
+                       snprintf( textbuf, textlen,
+                               "%s: no user modification allowed",
+                               ml->sml_type.bv_val );
+               }
+
+               *text = textbuf;
+               return LDAP_CONSTRAINT_VIOLATION;
+       }
+
+       return LDAP_SUCCESS;
+}
+
 /*
  * Do basic attribute type checking and syntax validation.
  */
@@ -603,17 +658,6 @@ int slap_mods_check(
                }
 
 #if 0
-               /* moved to slap_mods_no_update_check() */
-               if (!update && is_at_no_user_mod( ad->ad_type )) {
-                       /* user modification disallowed */
-                       snprintf( textbuf, textlen,
-                               "%s: no user modification allowed",
-                               ml->sml_type.bv_val );
-                       *text = textbuf;
-                       return LDAP_CONSTRAINT_VIOLATION;
-               }
-#endif
-
                if ( is_at_obsolete( ad->ad_type ) &&
                        (( ml->sml_op != LDAP_MOD_REPLACE &&
                                ml->sml_op != LDAP_MOD_DELETE ) ||
@@ -629,6 +673,7 @@ int slap_mods_check(
                        *text = textbuf;
                        return LDAP_CONSTRAINT_VIOLATION;
                }
+#endif
 
                if ( ml->sml_op == LDAP_MOD_INCREMENT &&
 #ifdef SLAPD_REAL_SYNTAX

diff --git a/servers/slapd/overlays/dynlist.c b/servers/slapd/overlays/dynlist.c
index 4fd1ff04b78a9b787312d5b023921f80cd55e5e1..3615ab16dfb240dc2d21f91d21dbb8b6abe72b89 100644 (file)
--- a/servers/slapd/overlays/dynlist.c
+++ b/servers/slapd/overlays/dynlist.c
@@ -689,18 +689,17 @@ dynlist_db_open(
 {
        slap_overinst   *on = (slap_overinst *) be->bd_info;
        dynlist_info    *dli = (dynlist_info *)on->on_bi.bi_private;
-       int             rc = 0;
        ber_len_t       len;
        char            *ptr;
 
        if ( dli->dli_oc == NULL ) {
                fprintf( stderr, "dynlist_db_open(): missing \"dynlist-oc <ObjectClass>\"\n" );
-               rc = -1;
+               return -1;
        }
 
        if ( dli->dli_ad == NULL ) {
                fprintf( stderr, "dynlist_db_open(): missing \"dynlist-ad <AttributeDescription>\"\n" );
-               rc = -1;
+               return -1;
        }
 
        len = STRLENOF( "(!(objectClass=" "))" )
@@ -715,7 +714,7 @@ dynlist_db_open(
        ptr = lutil_strcopy( ptr, "))" );
        dli->dli_default_filter.bv_len = ptr - dli->dli_default_filter.bv_val;
 
-       return rc;
+       return 0;
 }
 
 static int

diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
index 1111e32294f536c8c32a2172987885174bd4e85a..0e1349a18144209a21e60bde5797256144b66cce 100644 (file)
--- a/servers/slapd/overlays/pcache.c
+++ b/servers/slapd/overlays/pcache.c
@@ -636,10 +636,12 @@ free_query (CachedQuery* qc)
        free(qc->q_uuid.bv_val);
        filter_free(q->filter);
        free (q->base.bv_val);
-       for (i=0; q->attrs[i].an_name.bv_val; i++) {
-               free(q->attrs[i].an_name.bv_val);
+       if ( q->attrs ) {
+               for (i=0; q->attrs[i].an_name.bv_val; i++) {
+                       free(q->attrs[i].an_name.bv_val);
+               }
+               free(q->attrs);
        }
-       free(q->attrs);
        free(qc);
 }
 
@@ -984,8 +986,9 @@ filter2template(
 
        (*filter_attrs)[*filter_cnt].an_desc = ad;
        (*filter_attrs)[*filter_cnt].an_name = ad->ad_cname;
-       (*filter_attrs)[*filter_cnt+1].an_name.bv_val = NULL;
-       (*filter_attrs)[*filter_cnt+1].an_name.bv_len = 0;
+       (*filter_attrs)[*filter_cnt].an_oc = NULL;
+       (*filter_attrs)[*filter_cnt].an_oc_exclude = 0;
+       BER_BVZERO( &(*filter_attrs)[*filter_cnt+1].an_name );
        (*filter_cnt)++;
        return 0;
 }
@@ -1010,7 +1013,6 @@ cache_entries(
        slap_overinst *on = si->on;
        cache_manager *cm = on->on_bi.bi_private;
        query_manager*          qm = cm->qm;
-       int             i;
        int             return_val = 0;
        Entry           *e;
        struct berval   crp_uuid;
@@ -1166,10 +1168,11 @@ add_filter_attrs(
        *new_attrs = (AttributeName*)(op->o_tmpalloc((count+1)*
                sizeof(AttributeName), op->o_tmpmemctx));
        if (attrs == NULL) {
-               (*new_attrs)[0].an_name.bv_val = "*";
-               (*new_attrs)[0].an_name.bv_len = 1;
-               (*new_attrs)[1].an_name.bv_val = NULL;
-               (*new_attrs)[1].an_name.bv_len = 0;
+               BER_BVSTR( &(*new_attrs)[0].an_name, "*" );
+               (*new_attrs)[0].an_desc = NULL;
+               (*new_attrs)[0].an_oc = NULL;
+               (*new_attrs)[0].an_oc_exclude = 0;
+               BER_BVZERO( &(*new_attrs)[1].an_name );
                alluser = 1;
                allop = 0;
        } else {
@@ -1177,8 +1180,7 @@ add_filter_attrs(
                        (*new_attrs)[i].an_name = attrs[i].an_name;
                        (*new_attrs)[i].an_desc = attrs[i].an_desc;
                }
-               (*new_attrs)[count].an_name.bv_val = NULL;
-               (*new_attrs)[count].an_name.bv_len = 0;
+               BER_BVZERO( &(*new_attrs)[count].an_name );
                alluser = an_find(*new_attrs, &AllUser);
                allop = an_find(*new_attrs, &AllOper);
        }
@@ -1195,9 +1197,10 @@ add_filter_attrs(
                                        (count+2)*sizeof(AttributeName), op->o_tmpmemctx));
                (*new_attrs)[count].an_name = filter_attrs[i].an_name;
                (*new_attrs)[count].an_desc = filter_attrs[i].an_desc;
+               (*new_attrs)[count].an_oc = NULL;
+               (*new_attrs)[count].an_oc_exclude = 0;
                count++;
-               (*new_attrs)[count].an_name.bv_val = NULL;
-               (*new_attrs)[count].an_name.bv_len = 0;
+               BER_BVZERO( &(*new_attrs)[count].an_name );
        }
 }
 
@@ -1215,7 +1218,6 @@ proxy_cache_search(
        int i = -1;
 
        AttributeName   *filter_attrs = NULL;
-       AttributeName   *new_attrs = NULL;
 
        Query           query;
 
@@ -1312,15 +1314,18 @@ proxy_cache_search(
                        for ( count = 0; !BER_BVISNULL( &op->ors_attrs[ count ].an_name ); count++ ) {
                                ber_dupbv( &query.attrs[count].an_name, &op->ors_attrs[count].an_name );
                                query.attrs[count].an_desc = op->ors_attrs[count].an_desc;
+                               query.attrs[count].an_oc = op->ors_attrs[count].an_oc;
+                               query.attrs[count].an_oc_exclude = op->ors_attrs[count].an_oc_exclude;
                        }
                        if ( oc_attr_absent ) {
                                query.attrs[ count ].an_desc = slap_schema.si_ad_objectClass;
                                ber_dupbv( &query.attrs[count].an_name,
                                        &slap_schema.si_ad_objectClass->ad_cname );
+                               query.attrs[ count ].an_oc = NULL;
+                               query.attrs[ count ].an_oc_exclude = 0;
                                count++;
                        }
-                       query.attrs[ count ].an_name.bv_val = NULL;
-                       query.attrs[ count ].an_name.bv_len = 0;
+                       BER_BVZERO( &query.attrs[ count ].an_name );
                }
                add_filter_attrs(op, &op->ors_attrs, query.attrs, filter_attrs);
 
@@ -1808,9 +1813,10 @@ pc_cf_gen( ConfigArgs *c )
                                        qm->attr_sets[num].count = 0;
                                        return 1;
                                }
+                               attr_name->an_oc = NULL;
+                               attr_name->an_oc_exclude = 0;
                                attr_name++;
-                               attr_name->an_name.bv_val = NULL;
-                               attr_name->an_name.bv_len = 0;
+                               BER_BVZERO( &attr_name->an_name );
                        }
                }
                break;
@@ -1935,17 +1941,6 @@ proxy_cache_open(
        slap_overinst   *on = (slap_overinst *)be->bd_info;
        cache_manager   *cm = on->on_bi.bi_private;
        int             rc = 0;
-       int             i;
-
-       /* consistency check (add more...) */
-       for ( i = 0; i < cm->numattrsets; i++ ) {
-               if ( cm->qm->attr_sets[i].attrs == NULL ) {
-                       Debug( LDAP_DEBUG_ANY, "proxy_cache_open(): "
-                               "attr set %d (of %d) missing\n",
-                               i, cm->numattrsets, 0 );
-                       return 1;
-               }
-       }
 
        /* need to inherit something from the original database... */
        cm->db.be_def_limit = be->be_def_limit;
@@ -2071,7 +2066,7 @@ int pcache_init()
                return code;
        }
 
-       proxy_cache.on_bi.bi_type = "proxycache";
+       proxy_cache.on_bi.bi_type = "pcache";
        proxy_cache.on_bi.bi_db_init = proxy_cache_init;
        proxy_cache.on_bi.bi_db_config = proxy_cache_config;
        proxy_cache.on_bi.bi_db_open = proxy_cache_open;

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index effa673641bbf94ef69d4a327e007fec97143ef9..2937ae3cf9795fb029a66a52d88f6dec21872085 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -55,7 +55,7 @@ typedef struct pp_info {
  * used by all instances
  */
 typedef struct pw_conn {
-       int restrict;           /* TRUE if connection is restricted */
+       int restricted;         /* TRUE if connection is restricted */
 } pw_conn;
 
 static pw_conn *pwcons;
@@ -792,7 +792,7 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs )
                         * that we are disallowed from doing anything
                         * other than change password.
                         */
-                       pwcons[op->o_conn->c_conn_idx].restrict = 1;
+                       pwcons[op->o_conn->c_conn_idx].restricted = 1;
 
                        ppb->pErr = PP_changeAfterReset;
 
@@ -998,11 +998,11 @@ ppolicy_bind( Operation *op, SlapReply *rs )
        return SLAP_CB_CONTINUE;
 }
 
-/* Reset the restrict flag for the next session on this connection */
+/* Reset the restricted flag for the next session on this connection */
 static int
 ppolicy_unbind( Operation *op, SlapReply *rs )
 {
-       pwcons[op->o_conn->c_conn_idx].restrict = 0;
+       pwcons[op->o_conn->c_conn_idx].restricted = 0;
        return SLAP_CB_CONTINUE;
 }
 
@@ -1020,7 +1020,7 @@ ppolicy_restrict(
                send_ctrl = 1;
        }
 
-       if ( op->o_conn && pwcons[op->o_conn->c_conn_idx].restrict ) {
+       if ( op->o_conn && pwcons[op->o_conn->c_conn_idx].restricted ) {
                Debug( LDAP_DEBUG_TRACE,
                        "connection restricted to password changing only\n", 0, 0, 0);
                if ( send_ctrl ) {
@@ -1233,7 +1233,7 @@ ppolicy_modify( Operation *op, SlapReply *rs )
                }
        }
        
-       if (pwcons[op->o_conn->c_conn_idx].restrict && !mod_pw_only) {
+       if (pwcons[op->o_conn->c_conn_idx].restricted && !mod_pw_only) {
                Debug( LDAP_DEBUG_TRACE,
                        "connection restricted to password changing only\n", 0, 0, 0 );
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS; 

diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c
index 9a6483229daaf602a3c35df634460383fdcee394..ba948e6193c5fc467462671e41be443e6a0f3cc3 100644 (file)
--- a/servers/slapd/overlays/translucent.c
+++ b/servers/slapd/overlays/translucent.c
@@ -585,6 +585,7 @@ static int translucent_config(
        slap_overinst *on = (slap_overinst *) be->bd_info;
        overlay_stack *ov = on->on_bi.bi_private;
        void *private = be->be_private;
+       void *be_cf_ocs = be->be_cf_ocs;
        int rc;
 
        /* "this should never happen" */
@@ -594,8 +595,10 @@ static int translucent_config(
        }
 
        be->be_private = ov->private;
+       be->be_cf_ocs = ov->info->bi_cf_ocs;
        rc = ov->info->bi_db_config ? ov->info->bi_db_config(be, fname, lineno, argc, argv) : 0;
        be->be_private = private;
+       be->be_cf_ocs = be_cf_ocs;
 
        /* pass okay or error up, SLAP_CONF_UNKNOWN might be ours */
        if(rc == 0 || rc == 1) return(rc);

diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c
index 0480f3216c50e92303a92fa792f7e0eb74a67067..270b1148b21e920f1d56f9877d7f2d002eece78d 100644 (file)
--- a/servers/slapd/passwd.c
+++ b/servers/slapd/passwd.c
@@ -78,10 +78,9 @@ int passwd_extop(
                return rs->sr_err;
        }
 
-       if ( id.bv_len ) {
-               ber_dupbv_x( &op->o_req_dn, &id, op->o_tmpmemctx );
-               /* ndn is in tmpmem, so we don't need to free it */
-               rs->sr_err = dnNormalize( 0, NULL, NULL, &id, &op->o_req_ndn, op->o_tmpmemctx );
+       if ( !BER_BVISEMPTY( &id ) ) {
+               rs->sr_err = dnPrettyNormal( NULL, &id, &op->o_req_dn,
+                               &op->o_req_ndn, op->o_tmpmemctx );
                if ( rs->sr_err != LDAP_SUCCESS ) {
                        rs->sr_text = "Invalid DN";
                        rc = rs->sr_err;
@@ -315,7 +314,7 @@ int slap_passwd_parse( struct berval *reqdata,
                        goto decoding_error;
                }
 
-               tag = ber_peek_tag( ber, &len);
+               tag = ber_peek_tag( ber, &len );
        }
 
        if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 1250297aa396d462dc71292166b45c39857219f0..f5ed80742f02c2f5032ed69e8e966994895c66e4 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -472,6 +472,8 @@ LDAP_SLAPD_F (int) verbs_to_mask LDAP_P((
        int argc, char *argv[], slap_verbmasks *v, slap_mask_t *m ));
 LDAP_SLAPD_F (int) mask_to_verbs LDAP_P((
        slap_verbmasks *v, slap_mask_t m, BerVarray *bva ));
+LDAP_SLAPD_F (int) enum_to_verb LDAP_P((
+       slap_verbmasks *v, slap_mask_t m, struct berval *bv ));
 LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
        const char *word,  slap_bindconf *bc ));
 LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
@@ -878,7 +880,14 @@ LDAP_SLAPD_F (int) slap_modrdn2mods(
 /*
  * modify.c
  */
-LDAP_SLAPD_F( int ) slap_mods_no_update_check(
+LDAP_SLAPD_F( int ) slap_mods_obsolete_check(
+       Operation *op,
+       Modifications *ml,
+       const char **text,
+       char *textbuf, size_t textlen );
+
+LDAP_SLAPD_F( int ) slap_mods_no_user_mod_check(
+       Operation *op,
        Modifications *ml,
        const char **text,
        char *textbuf, size_t textlen );
@@ -1272,7 +1281,10 @@ LDAP_SLAPD_F( int ) structural_class(
        char *textbuf, size_t textlen );
 
 LDAP_SLAPD_F( int ) entry_schema_check(
-       Backend *be, Entry *e, Attribute *attrs,
+       Backend *be,
+       Entry *e,
+       Attribute *attrs,
+       int manage,
        const char** text,
        char *textbuf, size_t textlen );
 
@@ -1560,6 +1572,60 @@ LDAP_SLAPD_F (int) fe_op_unbind LDAP_P((Operation *op, SlapReply *rs));
 #endif
 LDAP_SLAPD_F (int) fe_extended LDAP_P((Operation *op, SlapReply *rs));
 
+/* NOTE: this macro assumes that bv has been allocated
+ * by ber_* malloc functions or is { 0L, NULL } */
+#if defined(HAVE_BIGNUM)
+#define UI2BVX(bv,ui,ctx) \
+       do { \
+               char            *val; \
+               ber_len_t       len; \
+               val = BN_bn2dec(ui); \
+               if (val) { \
+                       len = strlen(val); \
+                       if ( len > (bv)->bv_len ) { \
+                               (bv)->bv_val = ber_memrealloc_x( (bv)->bv_val, len + 1, (ctx) ); \
+                       } \
+                       AC_MEMCPY((bv)->bv_val, val, len + 1); \
+                       (bv)->bv_len = len; \
+                       OPENSSL_free(val); \
+               } else { \
+                       ber_memfree_x( (bv)->bv_val, (ctx) ); \
+                       BER_BVZERO( (bv) ); \
+               } \
+       } while ( 0 )
+#elif defined(HAVE_GMP)
+/* NOTE: according to the documentation, the result 
+ * of mpz_sizeinbase() can exceed the length of the
+ * string representation of the number by 1
+ */
+#define UI2BVX(bv,ui,ctx) \
+       do { \
+               ber_len_t       len = mpz_sizeinbase( (ui), 10 ); \
+               if ( len > (bv)->bv_len ) { \
+                       (bv)->bv_val = ber_memrealloc_x( (bv)->bv_val, len + 1, (ctx) ); \
+               } \
+               (void)mpz_get_str( (bv)->bv_val, 10, (ui) ); \
+               if ( (bv)->bv_val[ len - 1 ] == '\0' ) { \
+                       len--; \
+               } \
+               (bv)->bv_len = len; \
+       } while ( 0 )
+#else /* ! HAVE_BIGNUM && ! HAVE_GMP */
+#define UI2BVX(bv,ui,ctx) \
+       do { \
+               char            buf[] = "+9223372036854775807L"; \
+               ber_len_t       len; \
+               snprintf( buf, sizeof( buf ), "%lu", (ui) ); \
+               len = strlen( buf ); \
+               if ( len > (bv)->bv_len ) { \
+                       (bv)->bv_val = ber_memrealloc_x( (bv)->bv_val, len + 1, (ctx) ); \
+               } \
+               AC_MEMCPY( (bv)->bv_val, buf, len + 1 ); \
+       } while ( 0 )
+#endif /* ! HAVE_GMP */
+
+#define UI2BV(bv,ui)   UI2BVX(bv,ui,NULL)
+
 LDAP_END_DECL
 
 #endif /* PROTO_SLAP_H */

diff --git a/servers/slapd/result.c b/servers/slapd/result.c
index 964a01c3afb6b5992f346fb411b568f712ddd1b8..97c5cf385723a7b4225ce032140c2531bea0ec10 100644 (file)
--- a/servers/slapd/result.c
+++ b/servers/slapd/result.c
@@ -577,7 +577,7 @@ slap_send_ldap_result( Operation *op, SlapReply *rs )
        if ( rs->sr_err == SLAPD_ABANDON )
                goto abandon;
 
-       assert( !LDAP_API_ERROR( rs->sr_err ));
+       assert( !LDAP_API_ERROR( rs->sr_err ) );
 
        Debug( LDAP_DEBUG_TRACE,
                "send_ldap_result: %s p=%d\n",
@@ -1401,6 +1401,7 @@ slap_send_search_reference( Operation *op, SlapReply *rs )
                goto rel;
        }
 
+       rc = 0;
        if ( rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
                be_entry_release_rw( op, rs->sr_entry, 0 );
                rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 091a7d21390a78f0e9351adc76755f85232b5a44..87fce497a5e848222180adb68ecc90b43bb3a21c 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -386,8 +386,8 @@ slap_auxprop_store(
        rc = slap_mods_check( modlist, &text, textbuf, textlen, NULL );
 
        if ( rc == LDAP_SUCCESS ) {
-               rc = slap_mods_no_update_check( modlist, &text,
-                               textbuf, textlen );
+               rc = slap_mods_no_user_mod_check( &op, modlist,
+                       &text, textbuf, textlen );
 
                if ( rc == LDAP_SUCCESS ) {
                        rc = slap_mods_opattrs( &op, modlist, modtail,

diff --git a/servers/slapd/schema_check.c b/servers/slapd/schema_check.c
index cdf21460cae777dbd8e7203d8f1b37cbe3e2007b..1d47ff4365ecb1f3f5ef508518fc089e9e42a973 100644 (file)
--- a/servers/slapd/schema_check.c
+++ b/servers/slapd/schema_check.c
@@ -31,6 +31,7 @@ static char * oc_check_required(
 
 static int entry_naming_check(
        Entry *e,
+       int manage,
        const char** text,
        char *textbuf, size_t textlen );
 /*
@@ -45,6 +46,7 @@ entry_schema_check(
        Backend *be,
        Entry *e,
        Attribute *oldattrs,
+       int manage,
        const char** text,
        char *textbuf, size_t textlen )
 {
@@ -151,7 +153,7 @@ entry_schema_check(
                return LDAP_OTHER;
        }
 
-       if( sc->soc_obsolete ) {
+       if( !manage && sc->soc_obsolete ) {
                snprintf( textbuf, textlen, 
                        "structuralObjectClass '%s' is OBSOLETE",
                        asc->a_vals[0].bv_val );
@@ -201,7 +203,7 @@ entry_schema_check(
 
        /* naming check */
        if ( !is_entry_objectclass ( e, slap_schema.si_oc_glue, 0 ) ) {
-               rc = entry_naming_check( e, text, textbuf, textlen );
+               rc = entry_naming_check( e, manage, text, textbuf, textlen );
                if( rc != LDAP_SUCCESS ) {
                        return rc;
                }
@@ -217,7 +219,7 @@ entry_schema_check(
 
        /* check that the entry has required attrs of the content rule */
        if( cr ) {
-               if( cr->scr_obsolete ) {
+               if( !manage && cr->scr_obsolete ) {
                        snprintf( textbuf, textlen, 
                                "content rule '%s' is obsolete",
                                ldap_contentrule2name( &cr->scr_crule ));
@@ -292,7 +294,7 @@ entry_schema_check(
                        return LDAP_OBJECT_CLASS_VIOLATION;
                }
 
-               if ( oc->soc_obsolete ) {
+               if ( !manage && oc->soc_obsolete ) {
                        /* disallow obsolete classes */
                        snprintf( textbuf, textlen, 
                                "objectClass '%s' is OBSOLETE",
@@ -727,6 +729,7 @@ int mods_structural_class(
 static int
 entry_naming_check(
        Entry *e,
+       int manage,
        const char** text,
        char *textbuf, size_t textlen )
 {
@@ -787,7 +790,7 @@ entry_naming_check(
                        break;
                }
 
-               if( desc->ad_type->sat_obsolete ) {
+               if( !manage && desc->ad_type->sat_obsolete ) {
                        snprintf( textbuf, textlen, 
                                "naming attribute '%s' is obsolete",
                                ava->la_attr.bv_val );

diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c
index c22c935a9856c691cf433ebcb43edaa04e310c37..e6d66910cae7891aa3acea3198a863ca2136a557 100644 (file)
--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@@ -449,7 +449,7 @@ static struct slap_schema_ad_map {
                        "EQUALITY objectIdentifierMatch "
                        "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 "
                        "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-               NULL, 0,
+               NULL, SLAP_AT_MANAGEABLE,
                oidValidate, objectClassPretty,
                NULL, NULL, objectSubClassMatch,
                        objectSubClassIndexer, objectSubClassFilter,
@@ -460,7 +460,7 @@ static struct slap_schema_ad_map {
                        "ORDERING generalizedTimeOrderingMatch "
                        "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
                        "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-               NULL, 0,
+               NULL, SLAP_AT_MANAGEABLE,
                NULL, NULL,
                NULL, NULL, NULL, NULL, NULL,
                offsetof(struct slap_internal_schema, si_ad_createTimestamp) },
@@ -470,7 +470,7 @@ static struct slap_schema_ad_map {
                        "ORDERING generalizedTimeOrderingMatch "
                        "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
                        "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-               NULL, 0,
+               NULL, SLAP_AT_MANAGEABLE,
                NULL, NULL,
                NULL, NULL, NULL, NULL, NULL,
                offsetof(struct slap_internal_schema, si_ad_modifyTimestamp) },
@@ -479,7 +479,7 @@ static struct slap_schema_ad_map {
                        "EQUALITY distinguishedNameMatch "
                        "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
                        "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-               NULL, 0,
+               NULL, SLAP_AT_MANAGEABLE,
                NULL, NULL,
                NULL, NULL, NULL, NULL, NULL,
                offsetof(struct slap_internal_schema, si_ad_creatorsName) },
@@ -488,7 +488,7 @@ static struct slap_schema_ad_map {
                        "EQUALITY distinguishedNameMatch "
                        "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
                        "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-               NULL, 0,
+               NULL, SLAP_AT_MANAGEABLE,
                NULL, NULL,
                NULL, NULL, NULL, NULL, NULL,
                offsetof(struct slap_internal_schema, si_ad_modifiersName) },
@@ -845,6 +845,8 @@ static struct slap_schema_ad_map {
                NULL, NULL,
                NULL, NULL, NULL, NULL, NULL,
                offsetof(struct slap_internal_schema, si_ad_children) },
+
+       /* access control externals */
        { "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 "
                        "NAME ( 'authzTo' 'saslAuthzTo' ) "
                        "DESC 'proxy authorization targets' "

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index f7fd70d98d7c23f268b62845c6b2ba2f0c3cb465..b4e7e187a32fac1895021e72285ca185d78951cb 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -110,7 +110,7 @@ LDAP_BEGIN_DECL
 #endif
 
 #define SERVICE_NAME  OPENLDAP_PACKAGE "-slapd"
-#define SLAPD_ANONYMOUS "cn=anonymous"
+#define SLAPD_ANONYMOUS ""
 
 /* LDAPMod.mod_op value ===> Must be kept in sync with ldap.h!
  * This is a value used internally by the backends. It is needed to allow
@@ -658,20 +658,23 @@ typedef struct slap_attribute_type {
        AttributeTypeSchemaCheckFN      *sat_check;
        char                                    *sat_oidmacro;
 
-#define SLAP_AT_NONE           0x0000U
-#define SLAP_AT_ABSTRACT       0x0100U /* cannot be instantiated */
-#define SLAP_AT_FINAL          0x0200U /* cannot be subtyped */
+#define SLAP_AT_NONE                   0x0000U
+#define SLAP_AT_ABSTRACT               0x0100U /* cannot be instantiated */
+#define SLAP_AT_FINAL                  0x0200U /* cannot be subtyped */
 #ifdef LDAP_DEVEL
-#define SLAP_AT_HIDE           0x0000U /* publish everything */
+#define SLAP_AT_HIDE                   0x0000U /* publish everything */
 #else
-#define SLAP_AT_HIDE           0x8000U /* hide attribute */
+#define SLAP_AT_HIDE                   0x8000U /* hide attribute */
 #endif
-#define        SLAP_AT_DYNAMIC         0x0400U /* dynamically generated */
+#define        SLAP_AT_DYNAMIC                 0x0400U /* dynamically generated */
+
+#define SLAP_AT_MANAGEABLE             0x0800U /* no-user-mod can be by-passed */
 
 #define        SLAP_AT_ORDERED_VAL             0x0001U /* values are ordered */
 #define        SLAP_AT_ORDERED_SIB             0x0002U /* siblings are ordered */
-#define        SLAP_AT_ORDERED         0x0003U /* value has order index */
-#define        SLAP_AT_HARDCODE        0x10000U        /* This is hardcoded schema */
+#define        SLAP_AT_ORDERED                 0x0003U /* value has order index */
+
+#define        SLAP_AT_HARDCODE        0x10000U        /* hardcoded schema */
 
        slap_mask_t                                     sat_flags;
 
@@ -1302,7 +1305,7 @@ typedef struct slap_access {
 #define ACL_PRIV_MANAGE                        ACL_ACCESS2PRIV( ACL_MANAGE )
 
 /* NOTE: always use the highest level; current: 0x00ffUL */
-#define ACL_PRIV_MASK                  ((ACL_PRIV_MANAGE - 1) | ACL_QUALIFIER_MASK)
+#define ACL_PRIV_MASK                  ((ACL_ACCESS2PRIV(ACL_LAST) - 1) | ACL_QUALIFIER_MASK)
 
 /* priv flags */
 #define ACL_PRIV_LEVEL                 0x1000UL
@@ -1490,9 +1493,10 @@ LDAP_SLAPD_V (int) slapMode;
 #define        SLAP_TOOL_READONLY      0x0400
 #define        SLAP_TOOL_QUICK         0x0800
 
+#define SB_TLS_DEFAULT         (-1)
 #define SB_TLS_OFF             0
 #define SB_TLS_ON              1
-#define SB_TLS_CRITICAL        2
+#define SB_TLS_CRITICAL                2
 
 typedef struct slap_bindconf {
        int sb_tls;
@@ -1517,7 +1521,7 @@ struct slap_replica_info {
 
 typedef struct slap_verbmasks {
        struct berval word;
-       const int mask;
+       const slap_mask_t mask;
 } slap_verbmasks;
 
 #define SLAP_LIMIT_TIME        1
@@ -2211,6 +2215,7 @@ struct slap_control_ids {
        int sc_preRead;
        int sc_postRead;
        int sc_proxyAuthz;
+       int sc_manageDIT;
        int sc_manageDSAit;
        int sc_modifyIncrement;
        int sc_noOp;
@@ -2375,6 +2380,9 @@ typedef struct slap_op {
        char o_ctrlflag[SLAP_MAX_CIDS]; /* per-control flags */
        void **o_controls;              /* per-control state */
 
+#define o_managedit                            o_ctrlflag[slap_cids.sc_manageDIT]
+#define get_manageDIT(op)              _SCM((op)->o_managedit)
+
 #define o_managedsait  o_ctrlflag[slap_cids.sc_manageDSAit]
 #define get_manageDSAit(op)                            _SCM((op)->o_managedsait)
 
@@ -2443,6 +2451,7 @@ typedef struct slap_op {
        void    *o_private;     /* anything the backend needs */
 
        LDAP_STAILQ_ENTRY(slap_op)      o_next; /* next operation in list         */
+
 } Operation;
 #define        OPERATION_BUFFER_SIZE   (sizeof(Operation)+sizeof(Opheader)+SLAP_MAX_CIDS*sizeof(void *))
 
@@ -2667,6 +2676,8 @@ typedef struct slap_counters_t {
 #define SLAP_CTRL_HIDE                         0x80000000U
 #endif
 
+#define SLAP_CTRL_REQUIRES_ROOT                0x40000000U /* for ManageDIT */
+
 #define SLAP_CTRL_GLOBAL                       0x00800000U
 #define SLAP_CTRL_GLOBAL_SEARCH                0x00010000U     /* for NOOP */
 

diff --git a/servers/slapd/slapadd.c b/servers/slapd/slapadd.c
index 34ccc3fd8aa4a00434318f2e70253ab7ce29ebcc..ac66a3f00864a38ed6b9f74d2b03b16b33869053 100644 (file)
--- a/servers/slapd/slapadd.c
+++ b/servers/slapd/slapadd.c
@@ -53,6 +53,7 @@ slapadd( int argc, char **argv )
        char textbuf[SLAP_TEXT_BUFLEN] = { '\0' };
        size_t textlen = sizeof textbuf;
        const char *progname = "slapadd";
+       int manage = 0; 
 
        struct berval csn;
        struct berval maxcsn;
@@ -176,11 +177,13 @@ slapadd( int argc, char **argv )
                                        break;
                                }
 
-                               attr_merge_one( e, slap_schema.si_ad_structuralObjectClass, &val, NULL );
+                               attr_merge_one( e, slap_schema.si_ad_structuralObjectClass,
+                                       &val, NULL );
                        }
 
                        /* check schema */
-                       rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
+                       rc = entry_schema_check( be, e, NULL, manage,
+                               &text, textbuf, textlen );
 
                        if( rc != LDAP_SUCCESS ) {
                                fprintf( stderr, "%s: dn=\"%s\" (line=%d): (%d) %s\n",

diff --git a/servers/slapd/slapi/slapi_ops.c b/servers/slapd/slapi/slapi_ops.c
index 3e32409ecf40e4adf29a0995d9fdf769ab298acf..5a95c62fc3973a6a9a95a6297e723057dfe86bae 100644 (file)
--- a/servers/slapd/slapi/slapi_ops.c
+++ b/servers/slapd/slapi/slapi_ops.c
@@ -455,23 +455,22 @@ slapi_int_ldapmod_to_entry(
                        size_t  textlen = sizeof( textbuf );
 
                        rc = slap_mods_check( modlist, &text, 
-                                       textbuf, textlen, NULL );
+                               textbuf, textlen, NULL );
                        if ( rc != LDAP_SUCCESS) {
                                goto cleanup;
                        }
 
                        if ( !update ) {
-                               rc = slap_mods_no_update_check( modlist,
-                                               &text, textbuf, textlen );
+                               rc = slap_mods_no_user_mod_check( op, modlist,
+                                       &text, textbuf, textlen );
                                if ( rc != LDAP_SUCCESS) {
                                        goto cleanup;
                                }
                        }
 
                        if ( !repl_user ) {
-                               rc = slap_mods_opattrs( op,
-                                               modlist, modtail, &text, 
-                                               textbuf, textlen, 1 );
+                               rc = slap_mods_opattrs( op, modlist, modtail,
+                                       &text, textbuf, textlen, 1 );
                                if ( rc != LDAP_SUCCESS) {
                                        goto cleanup;
                                }
@@ -488,8 +487,7 @@ slapi_int_ldapmod_to_entry(
                }
        }
 
-cleanup:
-
+cleanup:;
        if ( dn.bv_val )
                slapi_ch_free( (void **)&dn.bv_val );
        if ( modlist != NULL )
@@ -1030,14 +1028,14 @@ slapi_modify_internal(
                        slap_callback   cb = { NULL, slap_replog_cb, NULL, NULL };
 
                        rs.sr_err = slap_mods_check( modlist,
-                                       &text, textbuf, textlen, NULL );
+                               &text, textbuf, textlen, NULL );
                        if ( rs.sr_err != LDAP_SUCCESS ) {
                                goto cleanup;
                        }
 
                        if ( !update ) {
-                               rs.sr_err = slap_mods_no_update_check( modlist,
-                                               &text, textbuf, textlen );
+                               rs.sr_err = slap_mods_no_user_mod_check( op, modlist,
+                                       &text, textbuf, textlen );
                                if ( rs.sr_err != LDAP_SUCCESS ) {
                                        goto cleanup;
                                }

diff --git a/servers/slapd/slapi/slapi_utils.c b/servers/slapd/slapi/slapi_utils.c
index 7590a93912675a39341fcd935ed42dea638bd9a2..1adeb85086284b2b9aa2744a2915492fc8f91375 100644 (file)
--- a/servers/slapd/slapi/slapi_utils.c
+++ b/servers/slapd/slapi/slapi_utils.c
@@ -4118,7 +4118,8 @@ int slapi_entry_schema_check( Slapi_PBlock *pb, Slapi_Entry *e )
        if ( slapi_pblock_get( pb, SLAPI_BACKEND, (void **)&be ) != 0 )
                return -1;
 
-       rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
+       rc = entry_schema_check( be, e, NULL, 0,
+               &text, textbuf, textlen );
 
        return ( rc == LDAP_SUCCESS ) ? 0 : 1;
 #else

diff --git a/tests/data/manage.out b/tests/data/manage.out
new file mode 100644 (file)
index 0000000..8e12d50
--- /dev/null
+++ b/tests/data/manage.out
@@ -0,0 +1,451 @@
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+member: cn=Manager,dc=example,dc=com
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam
+ ple,dc=com
+member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc
+ =com
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa
+ mple,dc=com
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=exampl
+ e,dc=com
+owner: cn=Manager,dc=example,dc=com
+cn: All Staff
+description: Everyone in the sample data
+objectClass: groupOfNames
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com
+member: cn=Manager,dc=example,dc=com
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+owner: cn=Manager,dc=example,dc=com
+description: All Alumni Assoc Staff
+cn: Alumni Assoc Staff
+objectClass: groupOfNames
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Alumni Association
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,
+ dc=com
+objectClass: OpenLDAPperson
+objectClass: obsoletePerson
+cn: Barbara Jensen
+cn: Babs Jensen
+sn:: IEplbnNlbiA=
+uid: bjensen
+title: Mythical Manager, Research Systems
+postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
+ own, MI 48103-4943
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+userPassword:: YmplbnNlbg==
+mail: bjensen@mailgw.example.com
+homePostalAddress: 123 Wesley $ Anytown, MI 48103
+description: Mythical manager of the rsdd unix project
+drink: water
+homePhone: +1 313 555 2333
+pager: +1 313 555 3233
+facsimileTelephoneNumber: +1 313 555 2274
+telephoneNumber: +1 313 555 9022
+creatorsName: cn=Manager,dc=example,dc=com
+testObsolete: TRUE
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc
+ =com
+objectClass: OpenLDAPperson
+cn: Bjorn Jensen
+cn: Biiff Jensen
+sn: Jensen
+uid: bjorn
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+userPassword:: Ympvcm4=
+homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
+drink: Iced Tea
+description: Hiker, biker
+title: Director, Embedded Systems
+postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
+mail: bjorn@mailgw.example.com
+homePhone: +1 313 555 5444
+pager: +1 313 555 4474
+facsimileTelephoneNumber: +1 313 555 2177
+telephoneNumber: +1 313 555 0355
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: OpenLDAPperson
+cn: Dorothy Stevens
+cn: Dot Stevens
+sn: Stevens
+uid: dots
+title: Secretary, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+drink: Lemonade
+homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
+description: Very tall
+facsimileTelephoneNumber: +1 313 555 3223
+telephoneNumber: +1 313 555 3664
+mail: dots@mail.alumni.example.com
+homePhone: +1 313 555 0454
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: dc=example,dc=com
+objectClass: top
+objectClass: organization
+objectClass: domainRelatedObject
+objectClass: dcObject
+dc: example
+l: Anytown, Michigan
+st: Michigan
+o: Example, Inc.
+o: EX
+o: Ex.
+description: The Example, Inc. at Anytown
+postalAddress: Example, Inc. $ 535 W. William St. $ Anytown, MI 48109 $ US
+telephoneNumber: +1 313 555 1817
+associatedDomain: example.com
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: ou=Groups,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Groups
+creatorsName: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=
+ example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: ou=Information Technology Division,ou=People,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Information Technology Division
+description:: aMODwoPDgsKCw4PCgsOCwotFVlZQw4PCg8OCwoPDg8KCw4LCv0zDg8KDw4LCgsOD
+ woLDgsKKT8ODwoPDgsKDw4PCgsOCwqs6w4PCg8OCwoLDg8KCw4LCjUQkw4PCg8OCwoLDg8KCw4LCi
+ 01QUcODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoLDg8KCw4LCik/Dg8KDw4
+ LCgsODwoLDgsKLRCQoZitEJMODwoPDgsKCw4PCgsOCwrfDg8KDw4LCg8ODwoLDgsKIw4PCg8OCwoP
+ Dg8KCw4LCgcODwoPDgsKDw4PCgsOCwqHDg8KDw4LCgsODwoLDgsKLRCQkZitEJMODwoPDgsKCw4PC
+ gsOCwrfDg8KDw4LCg8ODwoLDgsKQw4PCg8OCwoPDg8KCw4LCisODwoPDgsKCw4PCgsOCwotFUVZqU
+ MODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCg8ODwoLDgsKAw4PCg8OCwoLDg8KCw4LCik85dCTDg8KDw4
+ LCgsODwoLDgsKFQ8ODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4L
+ Cvzl0JMODwoPDgsKCw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCv8ODwoPD
+ gsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKLRCTDg8KDw4LCgsODwoLDgsKDw4PCg8OCwoLDg8KCw
+ 4LCuMODwoPDgsKDw4PCgsOCwoR0Q8ODwoPDgsKCw4PCgsOCwoM9w4PCg8OCwoPDg8KCw4LChMODwo
+ PDgsKDw4PCgsOCwoFOdTrDg8KDw4LCg8ODwoLDgsKHw4PCg8OCwoPDg8KCw4LChMODwoPDgsKDw4P
+ CgsOCwoFOw4PCg8OCwoPDg8KCw4LCqMODwoPDgsKDw4PCgsOCwrtHw4PCg8OCwoLDg8KCw4LChcOD
+ woPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsK4dMODwoPDgsKDw4PCgsOCwqjDg8KDw4LCg8ODw
+ oLDgsKtR8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCiMODwo
+ PDgsKDw4PCgsOCwr9SfGrDg8KDw4LCgsODwoLDgsKLQGgxw4PCg8OCwoPDg8KCw4LCoWhQw4PCg8O
+ CwoPDg8KCw4LCv8ODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsKKT8ODwoPDgsKCw4PCgsOC
+ wotEJDDDg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4LCgHTDg8KDw4LCgsODwoLDgsKDw4PCg
+ 8OCwoPDg8KCw4LCuHXDg8KDw4LCgsODwoLDgsKLRCRqw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4
+ PCgsOCwojDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwpPDg8K
+ Dw4LCg8ODwoLDgsKQXV9eW8ODwoPDgsKCw4PCgsOCwoPDg8KDw4LCg8ODwoLDgsKEw4PCg8OCwoPD
+ g8KCw4LCgsODwoPDgsKDw4PCgsOCwozDg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODw
+ oPDgsKDw4PCgsOCwozDg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKDw4PCgs
+ OCwoxWV8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsKxw4PCg8OCwoLDg8KCw4LCi3wkw4P
+ Cg8OCwoLDg8KCw4LCjcODwoPDgsKCw4PCgsOCwofDg8KDw4LCg8ODwoLDgsKof8ODwoPDgsKDw4PC
+ gsOCwr/Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoLDg8KCw4LCg8ODwoPDgsKDw4PCgsOCwrh5w4PCg
+ 8OCwoLDg8KCw4LChzQzw4PCg8OCwoPDg8KCw4LCicODwoPDgsKCw4PCgsOCworDg8KDw4LCgsODwo
+ LDgsKIw4PCg8OCwoLDg8KCw4LCuDFBw4PCg8OCwoPDg8KCw4LCvyTDg8KDw4LCgsODwoLDgsKNdDF
+ Bw4PCg8OCwoLDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwrhfXsODwoPD
+ gsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsK4X17Dg8KDw4LCg8ODwoLDgsKCw4PCg8OCwoLDg8KCw
+ 4LCi8ODwoPDgsKDw4PCgsOCwo7Dg8KDw4LCgsODwoLDgsKBw4PCg8OCwoPDg8KCw4LCv8ODwoPDgs
+ KCw4PCgsOCwoTDg8KDw4LCgsODwoLDgsKAdcODwoPDgsKDw4PCgsOCwqhtw4PCg8OCwoLDg8KCw4L
+ ChcODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsKEw4PCg8OCwoPDg8KCw4LCsMODwoPDgsKC
+ w4PCgsOCwrhfXsODwoPDgsKDw4PCgsOCwoLDg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCt
+ sODwoPDgsKDw4PCgsOCwq7Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4
+ PCgsOCwoPDg8KDw4LCg8ODwoLDgsKoZsODwoPDgsKCw4PCgsOCwoPDg8KDw4LCg8ODwoLDgsK4w4P
+ Cg8OCwoLDg8KCw4LCh8ODwoPDgsKDw4PCgsOCwpUzw4PCg8OCwoPDg8KCw4LCicODwoPDgsKCw4PC
+ gsOCworDg8KDw4LCgsODwoLDgsKISDJBw4PCg8OCwoPDg8KCw4LCvyTDg8KDw4LCgsODwoLDgsKNN
+ DJBw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsKOw4PCg8OCwo
+ PDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwpDDg8KDw4LCg8ODwoLDgsKIw4PCg8OCwoLDg8KCw4LCi8O
+ DwoPDgsKDw4PCgsOCwojDg8KDw4LCg8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCnEzDg8KDw4LCgsOD
+ woLDgsKLSEBmw4PCg8OCwoLDg8KCw4LCg3lwdSTDg8KDw4LCgsODwoLDgsKBw4PCg8OCwoPDg8KCw
+ 4LCv8ODwoPDgsKCw4PCgsOCwobDg8KDw4LCgsODwoLDgsKAw4PCg8OCwoLDg8KCw4LChMODwoPDgs
+ KCw4PCgsOCwp/Dg8KDw4LCgsODwoLDgsKBw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwoj
+ Dg8KDw4LCgsODwoLDgsKAw4PCg8OCwoLDg8KCw4LChMODwoPDgsKCw4PCgsOCwpPDg8KDw4LCgsOD
+ woLDgsKBw4PCg8OCwoPDg8KCw4LCv1rDg8KDw4LCgsODwoLDgsKAw4PCg8OCwoLDg8KCw4LChMODw
+ oPDgsKCw4PCgsOCwodqw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKCw4PCgsOCwoBqaMODwoPDgsKCw4
+ PCgsOCwpBQw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKDIMODwoPDgsKCw4PCgsOCwopPw4PCg8OCwoL
+ Dg8KCw4LChcODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsKOacODwoPDgsKCw4PCgsOCwrhf
+ XsODwoPDgsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsK4X17Dg8KDw4LCg8ODwoLDgsKCw4PCg8OCw
+ oLDg8KCw4LCgcODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKGw4PCg8OCwoLDg8KCw4LCgM
+ ODwoPDgsKCw4PCgsOCwoRJw4PCg8OCwoLDg8KCw4LCgcODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCgsO
+ DwoLDgsKIw4PCg8OCwoLDg8KCw4LCgMODwoPDgsKCw4PCgsOCwoQ9w4PCg8OCwoLDg8KCw4LCgcOD
+ woPDgsKDw4PCgsOCwr9aw4PCg8OCwoLDg8KCw4LCgMODwoPDgsKCw4PCgsOCwoQxw4PCg8OCwoLDg
+ 8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwoM9w4PCg8OCwoPDg8KCw4LCm0
+ 7Dg8KDw4LCgsODwoLDgsKEw4PCg8OCwoLDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsK
+ Cw4PCgsOCwrhfXsODwoPDgsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsK4X17Dg8KDw4LCg8ODwoLD
+ gsKCw4PCg8OCwoLDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwrhfXsODw
+ oPDgsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgs
+ OCwo7Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoLDg8KCw4LCkMODwoPDgsKDw4PCgsOCwojDg8KDw4L
+ CgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCiMODwoPDgsKDw4PCgsOCwqjDg8KDw4LCg8ODwoLDgsK+
+ S8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsKww4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKDw
+ 4PCgsOCwoTDg8KDw4LCgsODwoLDgsKKT1DDg8KDw4LCg8ODwoLDgsKoRsODwoPDgsKCw4PCgsOCwo
+ vDg8KDw4LCg8ODwoLDgsK4w4PCg8OCwoLDg8KCw4LChcODwoPDgsKDw4PCgsOCwrZ0Y8ODwoPDgsK
+ Cw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsK/dF/Dg8KDw4LCgsODwoLDgsKhdHpPw4PCg8OCwoLDg8KC
+ w4LCi8ODwoPDgsKDw4PCgsOCwo5Qw4PCg8OCwoPDg8KCw4LCqC1Jw4PCg8OCwoLDg8KCw4LChcODw
+ oPDgsKDw4PCgsOCwoB1RMODwoPDgsKCw4PCgsOCwqFwek/Dg8KDw4LCgsODwoLDgsKLw4PCg8OCwo
+ PDg8KCw4LCj1DDg8KDw4LCg8ODwoLDgsKoScODwoPDgsKCw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsK
+ AdTPDg8KDw4LCgsODwoLDgsKhbHpPw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgsOCwo5Qw4PC
+ g8OCwoPDg8KCw4LCqEnDg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4LCgHXDg8KDw4LCgsODw
+ oLDgsKhaHpPw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgsOCwo9Qw4PCg8OCwoPDg8KCw4LCqM
+ ODwoPDgsKDw4PCgsOCwrpIw4PCg8OCwoLDg8KCw4LChcODwoPDgsKDw4PCgsOCwoB1M8ODwoPDgsK
+ Dw4PCgsOCwoBfXsODwoPDgsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsK4X17Dg8KDw4LCg8ODwoLD
+ gsKCw4PCg8OCwoLDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgjPDg8KDw4LCg8ODwoLDgsKAX17Dg
+ 8KDw4LCg8ODwoLDgsKCw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgsOCwo7Dg8KDw4LCg8ODwo
+ LDgsKoJ8ODwoPDgsKDw4PCgsOCwq3Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCv8ODwoP
+ DgsKCw4PCgsOCwoPDg8KDw4LCg8ODwoLDgsK4aHU5w4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKCw4PC
+ gsOCwovDg8KDw4LCg8ODwoLDgsKOw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwpDDg8KDw
+ 4LCg8ODwoLDgsKIw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgs
+ KIw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwpLDg8KDw4LCg8ODwoLDgsKEw4PCg8OCwoL
+ Dg8KCw4LChcODwoPDgsKDw4PCgsOCwoB0IcODwoPDgsKCw4PCgsOCwovDg8KDw4LCgsODwoLDgsKA
+ w4PCg8OCwoPDg8KCw4LCtMODwoPDgsKCw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsKAdGbDg8KDw4LCg
+ sODwoLDgsKLQGY9dGY9dTPDg8KDw4LCg8ODwoLDgsKAX17Dg8KDw4LCg8ODwoLDgsKCw4PCg8OCwo
+ LDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwrhfXsODwoPDgsKDw4PCgsO
+ CwoIzw4PCg8OCwoPDg8KCw4LCgF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwovDg8KD
+ w4LCg8ODwoLDgsK/Ri9BUC9BRi9BWi9BZC9BWzBBZC9BZTBBZC9BZC9BbzBBZC9BeTBBw4PCg8OCw
+ oLDg8KCw4LCgzBBMUFhMUFrMUE=
+description:: UF7Dg8KDw4LCg8ODwoLDgsKCw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKDw4PCgsOC
+ wozDg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKDw4PCgsOCwozDg8KDw4LCg
+ 8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCqFDDg8KDw4LCg8ODwoLDgsKpRsODwoPDgsKDw4PCgsOCwo
+ zDg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKDw4PCgsOCwozDg8KDw4LCg8O
+ DwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKCw4PCgsOCwotEJCDDg8KDw4LCgsODwoLDgsKD
+ w4PCg8OCwoPDg8KCw4LCrMODwoPDgsKCw4PCgsOCwotUJCRTw4PCg8OCwoLDg8KCw4LCi1wkJFbDg
+ 8KDw4LCgsODwoLDgsKJTCRXVVBSU8ODwoPDgsKDw4PCgsOCwqjDg8KDw4LCg8ODwoLDgsKdT8ODwo
+ PDgsKCw4PCgsOCwoN8JDB1w4PCg8OCwoPDg8KCw4LCh8ODwoPDgsKDw4PCgsOCwoDDg8KDw4LCg8O
+ DwoLDgsKBTsODwoPDgsKDw4PCgsOCwqktw4PCg8OCwoLDg8KCw4LCg3wkMHTDg8KDw4LCgsODwoLD
+ gsKDfCQww4PCg8OCwoLDg8KCw4LChTPDg8KDw4LCg8ODwoLDgsK2OTXDg8KDw4LCg8ODwoLDgsKAw
+ 4PCg8OCwoPDg8KCw4LCgU7Dg8KDw4LCgsODwoLDgsKEIMODwoPDgsKCw4PCgsOCwqFIw4PCg8OCwo
+ PDg8KCw4LChU7Dg8KDw4LCgsODwoLDgsKJNcODwoPDgsKDw4PCgsOCwoDDg8KDw4LCg8ODwoLDgsK
+ BTsODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsKIw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKD
+ w4PCgsOCwr9TXMODwoPDgsKCw4PCgsOCwolEJDvDg8KDw4LCg8ODwoLDgsKGw4PCg8OCwoLDg8KCw
+ 4LChMODwoPDgsKCw4PCgsOCwpHDg8KDw4LCgsODwoLDgsKNRCTDg8KDw4LCgsODwoLDgsKLIEjDg8
+ KDw4LCg8ODwoLDgsKFTlDDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCv1Ngw4PCg8OCwoL
+ Dg8KCw4LCi8ODwoPDgsKDw4PCgsOCwpjDg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4LCm3Rx
+ w4PCg8OCwoLDg8KCw4LCizvDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCi8ODwoPDgsKDw
+ 4PCgsOCwr9XaMODwoPDgsKCw4PCgsOCwolEJDvDg8KDw4LCg8ODwoLDgsKGdGLDg8KDw4LCgsODwo
+ LDgsKLf2zDg8KDw4LCgsODwoLDgsKNRCTDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCi1D
+ Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8OD
+ woLDgsKow4PCg8OCwoLDg8KCw4LChcODwoPDgsKDw4PCgsOCwq10SmgoT03Dg8KDw4LCgsODwoLDg
+ sKLw4PCg8OCwoPDg8KCw4LCjcODwoPDgsKDw4PCgsOCwqggTMODwoPDgsKCw4PCgsOCwoXDg8KDw4
+ LCg8ODwoLDgsKAdDrDg8KDw4LCgsODwoLDgsKNRCTDg8KDw4LCgsODwoLDgsKLTSBQUcODwoPDgsK
+ Dw4PCgsOCwr/Dg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoLDg8KCw4LCik/Dg8KDw4LCgsODwoLDgsKL
+ RCQoZitEJCDDg8KDw4LCgsODwoLDgsK3w4PCg8OCwoPDg8KCw4LCiMODwoPDgsKDw4PCgsOCwoHDg
+ 8KDw4LCg8ODwoLDgsKhw4PCg8OCwoLDg8KCw4LCi0QkJGYrRCTDg8KDw4LCgsODwoLDgsK3w4PCg8
+ OCwoPDg8KCw4LCkMODwoPDgsKDw4PCgsOCworDg8KDw4LCgsODwoLDgsKLRSBRVmpQw4PCg8OCwoP
+ Dg8KCw4LCv8ODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsKKTzl0JHXDg8KDw4LCgsODwoLD
+ gsKhOXQkw4PCg8OCwoLDg8KCw4LChW/Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCv8ODw
+ oPDgsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKhRMODwoPDgsKDw4PCgsOCwoVOw4PCg8OCwoLDg8
+ KCw4LCi8ODwoPDgsKDw4PCgsOCwojDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCv1Ncw4P
+ Cg8OCwoLDg8KCw4LCiUQkw4PCg8OCwoLDg8KCw4LChcODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsOD
+ woLDgsKEw4PCg8OCwoPDg8KCw4LCtjPDg8KDw4LCg8ODwoLDgsK2w4PCg8OCwoLDg8KCw4LCjUQkw
+ 4PCg8OCwoLDg8KCw4LCiyBEw4PCg8OCwoPDg8KCw4LChU5Qw4PCg8OCwoLDg8KCw4LCi8ODwoPDgs
+ KDw4PCgsOCwr9TYMODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsK4w4PCg8OCwoLDg8KCw4L
+ ChcODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKEw4PCg8OCwoPDg8KCw4LCkMODwoPDgsKC
+ w4PCgsOCwovDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCj8ODwoPDgsKDw4PCgsOCwr9Ta
+ MODwoPDgsKCw4PCgsOCwolEJDvDg8KDw4LCg8ODwoLDgsKGw4PCg8OCwoLDg8KCw4LChMODwoPDgs
+ KCw4PCgsOCwr3Dg8KDw4LCgsODwoLDgsKNRCTDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4L
+ Cj1DDg8KDw4LCg8ODwoLDgsK/U2zDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCqMODwoPD
+ gsKCw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsKtw4PCg8OCwoLDg8KCw4LChMODwoPDgsKCw4PCgsOCw
+ p9oMMODwoPDgsKDw4PCgsOCwolMw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgsOCwo3Dg8KDw4
+ LCg8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCq0vDg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4L
+ CgMODwoPDgsKCw4PCgsOCwoTDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoLDg8KCw4LCi0QkOcODwoPD
+ gsKCw4PCgsOCwrDDg8KDw4LCg8ODwoLDgsKEdEU5w4PCg8OCwoLDg8KCw4LCtTR0PcODwoPDgsKCw
+ 4PCgsOCwovDg8KDw4LCg8ODwoLDgsKNw4PCg8OCwoPDg8KCw4LCqMODwoPDgsKDw4PCgsOCwo5Lw4
+ PCg8OCwoLDg8KCw4LCi0AgUMODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKsw4PCg8OCwoL
+ Dg8KCw4LCik/Dg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4LCgHUow4PCg8OCwoLDg8KCw4LC
+ i8ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCgsODwoLDgsKJw4PCg8OCwoLDg8KCw4LCtTTDg8KDw4LCg
+ 8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKDw4PCgsOCwrtWw4PCg8OCwoLDg8KCw4LCi8
+ ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCnw==
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=ITD Staff,ou=Groups,dc=example,dc=com
+owner: cn=Manager,dc=example,dc=com
+description: All ITD Staff
+cn: ITD Staff
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Manager,dc=example,dc=com
+uniqueMember: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=
+ example,dc=com
+uniqueMember: cn=James A Jones 2,ou=Information Technology Division,ou=People,
+ dc=example,dc=com
+uniqueMember: cn=John Doe,ou=Information Technology Division,ou=People,dc=exam
+ ple,dc=com
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: OpenLDAPperson
+cn: James A Jones 1
+cn: James Jones
+cn: Jim Jones
+sn: Jones
+uid: jaj
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+userPassword:: amFq
+homePostalAddress: 3882 Beverly Rd. $ Anytown, MI 48105
+homePhone: +1 313 555 4772
+description: Outstanding
+title: Mad Cow Researcher, UM Alumni Association
+pager: +1 313 555 3923
+mail: jaj@mail.alumni.example.com
+facsimileTelephoneNumber: +1 313 555 4332
+telephoneNumber: +1 313 555 0895
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example
+ ,dc=com
+objectClass: OpenLDAPperson
+cn: James A Jones 2
+cn: James Jones
+cn: Jim Jones
+sn: Doe
+uid: jjones
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+homePostalAddress: 933 Brooks $ Anytown, MI 48104
+homePhone: +1 313 555 8838
+title: Senior Manager, Information Technology Division
+description: Not around very much
+mail: jjones@mailgw.example.com
+postalAddress: Info Tech Division $ 535 W William $ Anytown, MI 48103
+pager: +1 313 555 2833
+facsimileTelephoneNumber: +1 313 555 8688
+telephoneNumber: +1 313 555 7334
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: OpenLDAPperson
+cn: Jane Doe
+cn: Jane Alverson
+sn: Doe
+uid: jdoe
+title: Programmer Analyst, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+homePostalAddress: 123 Anystreet $ Anytown, MI 48104
+drink: diet coke
+description: Enthusiastic
+mail: jdoe@woof.net
+homePhone: +1 313 555 5445
+pager: +1 313 555 1220
+facsimileTelephoneNumber: +1 313 555 2311
+telephoneNumber: +1 313 555 4774
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: OpenLDAPperson
+cn: Jennifer Smith
+cn: Jen Smith
+sn: Smith
+uid: jen
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+drink: Sam Adams
+homePostalAddress: 1000 Maple #44 $ Anytown, MI 48103
+title: Telemarketer, UM Alumni Association
+mail: jen@mail.alumni.example.com
+homePhone: +1 313 555 2333
+pager: +1 313 555 6442
+facsimileTelephoneNumber: +1 313 555 2756
+telephoneNumber: +1 313 555 8232
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com
+objectClass: OpenLDAPperson
+cn: John Doe
+cn: Jonathon Doe
+sn: Doe
+uid: johnd
+postalAddress: ITD $ 535 W. William $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+homePostalAddress: 912 East Bllvd $ Anytown, MI 48104
+title: System Administrator, Information Technology Division
+description: overworked!
+mail: johnd@mailgw.example.com
+homePhone: +1 313 555 3774
+pager: +1 313 555 6573
+facsimileTelephoneNumber: +1 313 555 4544
+telephoneNumber: +1 313 555 9394
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Manager,dc=example,dc=com
+objectClass: person
+cn: Manager
+cn: Directory Manager
+cn: Dir Man
+sn: Manager
+description: Manager of the directory
+userPassword:: c2VjcmV0
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: OpenLDAPperson
+cn: Mark Elliot
+cn: Mark A Elliot
+sn: Elliot
+uid: melliot
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+homePostalAddress: 199 Outer Drive $ Ypsilanti, MI 48198
+homePhone: +1 313 555 0388
+drink: Gasoline
+title: Director, UM Alumni Association
+mail: melliot@mail.alumni.example.com
+pager: +1 313 555 7671
+facsimileTelephoneNumber: +1 313 555 7762
+telephoneNumber: +1 313 555 4177
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: ou=People,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: extensibleObject
+ou: People
+uidNumber: 0
+gidNumber: 0
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: OpenLDAPperson
+cn: Ursula Hampster
+sn: Hampster
+uid: uham
+title: Secretary, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+homePostalAddress: 123 Anystreet $ Anytown, MI 48104
+mail: uham@mail.alumni.example.com
+homePhone: +1 313 555 8421
+pager: +1 313 555 2844
+facsimileTelephoneNumber: +1 313 555 9700
+telephoneNumber: +1 313 555 5331
+creatorsName: cn=Manager,dc=example,dc=com
+modifiersName: cn=Manager,dc=example,dc=com
+

diff --git a/tests/data/slapd-cache-master.conf b/tests/data/slapd-cache-master.conf
index f4b8073aaaf6e3311053a5712eaa787bf938d34e..87476f20ddf29dfe565199256991bbad4f09d944 100644 (file)
--- a/tests/data/slapd-cache-master.conf
+++ b/tests/data/slapd-cache-master.conf
@@ -37,7 +37,11 @@ suffix               "dc=example,dc=com"
 directory      ./testrun/db.1.a
 rootdn         "cn=Manager,dc=example,dc=com"
 rootpw         secret
-index          objectClass     eq
-index          cn,sn,uid       pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid       pres,eq,sub
+#hdb#index             objectClass     eq
+#hdb#index             cn,sn,uid       pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid       pres,eq,sub
 
 #monitor#database monitor

diff --git a/tests/data/slapd-dn.conf b/tests/data/slapd-dn.conf
index c7e414c0898c2cc2ce6d6dbef66cfe78342189d4..eb429ae8cbc80b3171f4443bd3d1763168679255 100644 (file)
--- a/tests/data/slapd-dn.conf
+++ b/tests/data/slapd-dn.conf
@@ -37,7 +37,11 @@ suffix               "dc=example,dc=com"
 directory      ./testrun/db.1.a
 rootdn         "cn=Manager,dc=example,dc=com"
 rootpw         secret
-index          objectClass     eq
-index          cn,sn,uid       pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid       pres,eq,sub
+#hdb#index             objectClass     eq
+#hdb#index             cn,sn,uid       pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid       pres,eq,sub
 
 #monitor#database monitor

diff --git a/tests/data/slapd-emptydn.conf b/tests/data/slapd-emptydn.conf
index 55e5fa17083e4b274f15d0c2dc010005947ff572..b98b059ff6e68f47319cdd0f59d45bd5e4a2f35c 100644 (file)
--- a/tests/data/slapd-emptydn.conf
+++ b/tests/data/slapd-emptydn.conf
@@ -43,8 +43,12 @@ suffix               "dc=example,dc=com"
 directory      ./testrun/db.1.a
 rootdn         "cn=Manager,dc=example,dc=com"
 rootpw         secret
-index          objectClass     eq
-index          cn,sn,uid       pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid       pres,eq,sub
+#hdb#index             objectClass     eq
+#hdb#index             cn,sn,uid       pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid       pres,eq,sub
 
 access         to attrs=userPassword
                by dn.exact="cn=Manager,c=US" write
@@ -64,8 +68,12 @@ suffix               ""
 directory      ./testrun/db.2.a
 rootdn         "cn=Manager,c=US"
 rootpw         secret
-index          objectClass     eq
-index          cn,sn,uid       pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid       pres,eq,sub
+#hdb#index             objectClass     eq
+#hdb#index             cn,sn,uid       pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid       pres,eq,sub
 
 access         to attrs=userPassword
                by self =wx

diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
index 648ac31320dd738c330998724b9fbdd54ff8f9aa..6ade32efd89543051f144cb4000d7bd0fb4dffbb 100644 (file)
--- a/tests/data/slapd-idassert.conf
+++ b/tests/data/slapd-idassert.conf
@@ -84,11 +84,8 @@ database     ldap
 suffix         "o=Example,c=US"
 uri            "@URI1@"
 
-#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" @SASL_MECH@
-#nosasl#idassert-method "simple"
-#nosasl#idassert-authcDN       "cn=Proxy US,ou=Admin,dc=example,dc=com"
-#nosasl#idassert-passwd                proxy
-idassert-mode  self
+#sasl#idassert-bind    bindmethod=sasl binddn="cn=Proxy US,ou=Admin,dc=example,dc=com" authcId="admin/proxy US" credentials="proxy" @SASL_MECH@ mode=self
+#nosasl#idassert-bind  bindmethod=simple binddn="cn=Proxy US,ou=Admin,dc=example,dc=com" credentials="proxy" mode=self
 
 # authorizes database
 idassert-authzFrom     "dn.subtree:dc=example,dc=it"
@@ -103,10 +100,7 @@ uri                "@URI1@"
 acl-authcDN    "cn=Proxy IT,ou=Admin,dc=example,dc=com"
 acl-passwd     proxy
 
-idassert-method "simple"
-idassert-authcDN       "cn=Proxy IT,ou=Admin,dc=example,dc=com"
-idassert-passwd                proxy
-idassert-mode  "dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
+idassert-bind  bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy" authzId="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
 
 # authorizes database
 idassert-authzFrom     "dn.subtree:dc=example,dc=com"

diff --git a/tests/data/slapd-ldapglue.conf b/tests/data/slapd-ldapglue.conf
index 95e9e286048ace4bd9b6938a647e0aef10cc7ddf..a07599d676d09dd2675512838332e8800540d56d 100644 (file)
--- a/tests/data/slapd-ldapglue.conf
+++ b/tests/data/slapd-ldapglue.conf
@@ -54,22 +54,16 @@ database        ldap
 suffix          "ou=People,dc=example,dc=com"
 uri             "@URI2@"
 # FIXME: doesn't work with authz=native
-#sasl#idassert-method  sasl authcid=proxy cred=proxy @SASL_MECH@
-#nosasl#idassert-method  simple
-#nosasl#idassert-authcDN "uid=proxy,ou=People,dc=example,dc=com"
-#nosasl#idassert-passwd  proxy
-idassert-mode   self
+#sasl#idassert-bind    bindmethod=sasl authcid=proxy credentials=proxy @SASL_MECH@ mode=self
+#nosasl#idassert-bind  bindmethod=simple binddn"uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
 
 # groups branch
 database        ldap
 suffix          "ou=Groups,dc=example,dc=com"
 uri             "@URI3@"
 # FIXME: doesn't work with authz=native
-#sasl#idassert-method  sasl authcid=proxy cred=proxy @SASL_MECH@
-#nosasl#idassert-method  simple
-#nosasl#idassert-authcDN "uid=proxy,ou=Groups,dc=example,dc=com"
-#nosasl#idassert-passwd  proxy
-idassert-mode    self
+#sasl#idassert-bind    bindmethod=sasl authcid=proxy credentials=proxy @SASL_MECH@ mode=self
+#nosasl#idassert-bind  bindmethod=simple binddn="uid=proxy,ou=Groups,dc=example,dc=com" credentials=proxy mode=self
 
 # root
 database        @BACKEND@

diff --git a/tests/data/slapd-meta.conf b/tests/data/slapd-meta.conf
index e1014af1c8d4c97d60191b6c2c9e81e306d175d7..1eefd7cbd4ad2b85e4d41f1304595c2a2f2d8f95 100644 (file)
--- a/tests/data/slapd-meta.conf
+++ b/tests/data/slapd-meta.conf
@@ -45,7 +45,7 @@ rootdn                "cn=Manager,o=Example,c=US"
 rootpw         secret
 chase-referrals        no
 #nretries      forever
-nretries       1000
+#nretries      1000
 
 # local
 uri            "@URI2@ou=Meta,o=Example,c=US"

diff --git a/tests/data/slapd-meta2.conf b/tests/data/slapd-meta2.conf
index bebcea2f11440f7eb00963935d9146143636bda6..dc65690a0c5ec1b305f75b93a986834b6eeae82b 100644 (file)
--- a/tests/data/slapd-meta2.conf
+++ b/tests/data/slapd-meta2.conf
@@ -44,6 +44,7 @@ suffix                "ou=Meta,dc=example,dc=com"
 directory      ./testrun/db.2.a
 rootdn         "cn=Manager,ou=Meta,dc=example,dc=com"
 rootpw         secret
-index          objectClass eq
+#bdb#index             objectClass eq
+#ldbm#index            objectClass eq
 
 #monitor#database      monitor

diff --git a/tests/data/slapd-ppolicy.conf b/tests/data/slapd-ppolicy.conf
index debfa68fa24fe79e1b824e04a598328c85cad51d..f58e536ff5eafa84d0971830d53768cd8c5a817d 100644 (file)
--- a/tests/data/slapd-ppolicy.conf
+++ b/tests/data/slapd-ppolicy.conf
@@ -38,7 +38,9 @@ suffix                "dc=example,dc=com"
 directory      ./testrun/db.1.a
 rootdn         "cn=Manager,dc=example,dc=com"
 rootpw         secret
-index          objectClass eq
+#bdb#index             objectClass eq
+#hdb#index             objectClass eq
+#ldbm#index            objectClass eq
 overlay                ppolicy
 ppolicy_default        "cn=Standard Policy,ou=Policies,dc=example,dc=com"
 ppolicy_use_lockout

diff --git a/tests/data/slapd-proxycache.conf b/tests/data/slapd-proxycache.conf
index bfcb01a756c895a02ac156f7157612dbe32df552..1fac77c7d123ba542c62ef595b2f287a8b75e070 100644 (file)
--- a/tests/data/slapd-proxycache.conf
+++ b/tests/data/slapd-proxycache.conf
@@ -41,7 +41,7 @@ suffix          "dc=example,dc=com"
 rootdn          "dc=example,dc=com"
 uri            "@URI1@"
 
-overlay proxycache
+overlay                pcache
 proxycache     @BACKEND@ 100 2 @ENTRY_LIMIT@ @CACHETTL@
 proxyattrset 0         sn cn title uid
 proxyattrset 1         mail postaladdress telephonenumber cn uid
@@ -50,9 +50,15 @@ proxytemplate        (sn=) 0 @CACHETTL@
 proxytemplate          (uid=) 1 @CACHETTL@
 proxytemplate          (mail=) 0 @CACHETTL@
        
-cachesize 20
+#bdb#cachesize 20
+#hdb#cachesize 20
+#ldbm#cachesize 20
 directory ./testrun/db.2.a
-index          objectClass     eq
-index          cn,sn,uid,mail  pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid,mail  pres,eq,sub
+#hdb#index             objectClass     eq
+#hdb#index             cn,sn,uid,mail  pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid,mail  pres,eq,sub
 
 #monitor#database monitor

diff --git a/tests/data/slapd-pw.conf b/tests/data/slapd-pw.conf
index 4d7d3c85d536730e83317342631b7d97a660e1e2..e03f205d1767c580315c3b68a875c8472d20b9e3 100644 (file)
--- a/tests/data/slapd-pw.conf
+++ b/tests/data/slapd-pw.conf
@@ -37,8 +37,12 @@ suffix               "dc=example,dc=com"
 directory      ./testrun/db.1.a
 rootdn         "cn=Manager,dc=example,dc=com"
 rootpw         secret
-index          objectClass     eq
-index          cn,sn,uid       pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid       pres,eq,sub
+#hdb#index             objectClass     eq
+#hdb#index             cn,sn,uid       pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid       pres,eq,sub
 
 #
 # normal installations should protect root dse,

diff --git a/tests/data/slapd-ref-slave.conf b/tests/data/slapd-ref-slave.conf
index 131d2cadb788f74e8543525f7d37b5b09d4bc8b2..c36847bf4812586a801aa2da0ae1e076aa39dc30 100644 (file)
--- a/tests/data/slapd-ref-slave.conf
+++ b/tests/data/slapd-ref-slave.conf
@@ -35,7 +35,9 @@ argsfile    ./testrun/slapd.2.args
 referral       "@URI1@"
 
 database       @BACKEND@
-cachesize      0
+#bdb#cachesize 0
+#hdb#cachesize 0
+#ldbm#cachesize        0
 suffix         "o=University of Mich,c=US"
 directory      ./testrun/db.2.a
 rootdn         "cn=Manager,o=University of Mich,c=US"

diff --git a/tests/data/slapd-repl-slave.conf b/tests/data/slapd-repl-slave.conf
index a03323286772125a370c0c0545120254f378df9b..2de1bf49f2f9eb3cd49cb5b32e4201c07c2cf240 100644 (file)
--- a/tests/data/slapd-repl-slave.conf
+++ b/tests/data/slapd-repl-slave.conf
@@ -32,16 +32,10 @@ argsfile    ./testrun/slapd.2.args
 
 #ldapyes#overlay               chain
 #ldapyes#chain-uri             @URI1@
-#ldapyes#chain-idassert-method "simple"
-#ldapyes#chain-idassert-authcDN        "cn=Manager,dc=example,dc=com"
-#ldapyes#chain-idassert-passwd secret
-#ldapyes#chain-idassert-mode   self
+#ldapyes#chain-idassert-bind   bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self
 #ldapmod#overlay               chain
 #ldapmod#chain-uri             @URI1@
-#ldapmod#chain-idassert-method "simple"
-#ldapmod#chain-idassert-authcDN        "cn=Manager,dc=example,dc=com"
-#ldapmod#chain-idassert-passwd secret
-#ldapmod#chain-idassert-mode   self
+#ldapmod#chain-idassert-bind   bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self
 
 #######################################################################
 # database definitions

diff --git a/tests/data/slapd-schema.conf b/tests/data/slapd-schema.conf
index 5368b8da0d7e711bc8a36b60371ff82a0157809e..d1f82f617718027ed08224542963706cb3b5c43c 100644 (file)
--- a/tests/data/slapd-schema.conf
+++ b/tests/data/slapd-schema.conf
@@ -25,6 +25,7 @@ include ./schema/misc.schema
 include ./schema/nis.schema
 include ./schema/openldap.schema
 #
+include ./schema/duaconf.schema
 include ./schema/dyngroup.schema
 include ./schema/ppolicy.schema
 

diff --git a/tests/data/slapd-sql-syncrepl-master.conf b/tests/data/slapd-sql-syncrepl-master.conf
new file mode 100644 (file)
index 0000000..4c3b65d
--- /dev/null
+++ b/tests/data/slapd-sql-syncrepl-master.conf
@@ -0,0 +1,78 @@
+# master slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2005 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+#ucdata-path   ./ucdata
+include ./schema/core.schema
+include ./schema/cosine.schema
+include ./schema/inetorgperson.schema
+include ./schema/openldap.schema
+include ./schema/nis.schema
+pidfile     ./testrun/slapd.1.pid
+argsfile    ./testrun/slapd.1.args
+
+#sqlmod#modulepath ../servers/slapd/back-sql/
+#sqlmod#moduleload back_sql.la
+#monitormod#modulepath ../servers/slapd/back-monitor/
+#monitormod#moduleload back_monitor.la
+
+#
+# normal installations should protect root dse,
+# cn=monitor, cn=schema, and cn=config
+#
+
+access to attr=userpassword
+       by self =wx
+       by anonymous =x
+
+access to *
+       by * read
+
+#######################################################################
+# sql database definitions
+#######################################################################
+
+database        sql
+suffix          "dc=example,dc=com"
+rootdn         "cn=Manager,dc=example,dc=com"
+rootpw          secret
+dbname          example
+dbuser          manager
+dbpasswd        secret
+
+#
+# rdbms specific directives
+#
+# IBM db2
+#ibmdb2#upper_func             "ucase"
+#ibmdb2#upper_needs_cast       "yes"
+#ibmdb2#concat_pattern         "?||?"
+#ibmdb2#children_cond          "ucase(ldap_entries.dn)=ucase(cast(? as varchar(255)))"
+#ibmdb2#create_needs_select    "yes"
+#ibmdb2#insentry_stmt          "insert into ldap_entries (id,dn,oc_map_id,parent,keyval) values ((select case when max(id) is null then 1 else max(id) + 1 end from ldap_entries),?,?,?,?)"
+#
+# PostgreSQL
+#postgres#insentry_stmt                "insert into ldap_entries (id,dn,oc_map_id,parent,keyval) values ((select case when max(id) is null then 1 else max(id) + 1 end from ldap_entries),?,?,?,?)"
+#postgres#upper_func           "upper"
+#postgres#strcast_func         "text"
+#postgres#concat_pattern       "?||?"
+#
+# MySQL
+#mysql#concat_pattern  "concat(?,?)"
+
+has_ldapinfo_dn_ru      no
+
+overlay                        syncprov
+
+#monitor#database monitor

diff --git a/tests/data/slapd-syncrepl-slave-persist1.conf b/tests/data/slapd-syncrepl-slave-persist1.conf
index 75520f92684a2e679e01dfbd461488292857a20b..c930f3c1c9ec067724fe5600c96e40158c00402e 100644 (file)
--- a/tests/data/slapd-syncrepl-slave-persist1.conf
+++ b/tests/data/slapd-syncrepl-slave-persist1.conf
@@ -34,16 +34,10 @@ argsfile    ./testrun/slapd.4.args
 
 #ldapyes#overlay               chain
 #ldapyes#chain-uri             @URI1@
-#ldapyes#chain-idassert-method "simple"
-#ldapyes#chain-idassert-authcDN        "cn=Manager,dc=example,dc=com"
-#ldapyes#chain-idassert-passwd secret
-#ldapyes#chain-idassert-mode   self
+#ldapyes#chain-idassert-bind   bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self
 #ldapmod#overlay               chain
 #ldapmod#chain-uri             @URI1@
-#ldapmod#chain-idassert-method "simple"
-#ldapmod#chain-idassert-authcDN        "cn=Manager,dc=example,dc=com"
-#ldapmod#chain-idassert-passwd secret
-#ldapmod#chain-idassert-mode   self
+#ldapmod#chain-idassert-bind   bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self
 
 #######################################################################
 # consumer database definitions

diff --git a/tests/data/slapd-translucent-local.conf b/tests/data/slapd-translucent-local.conf
index 3f4ed66066d75156a27cc8c1b6621100f7176e8b..3ba45516a76b5036f894f25c0bc5ebe4368c03fc 100644 (file)
--- a/tests/data/slapd-translucent-local.conf
+++ b/tests/data/slapd-translucent-local.conf
@@ -51,5 +51,4 @@ translucent_no_glue
 # XXX this uri really shouldn't be hardcoded
 uri            @URI1@
 lastmod                off
-acl-authcDN            uid=binder,o=translucent
-acl-passwd             bindtest
+acl-bind       binddn="uid=binder,o=translucent" credentials="bindtest"

diff --git a/tests/data/slapd-unique.conf b/tests/data/slapd-unique.conf
index 44794dc378cc2df9b4ca6d9e5a99a1a8d090faf8..8d16feb035a951cafe4bbe970d95e0a8ed790187 100644 (file)
--- a/tests/data/slapd-unique.conf
+++ b/tests/data/slapd-unique.conf
@@ -39,8 +39,12 @@ suffix               "o=unique"
 directory      ./testrun/db.1.a
 rootdn         "cn=Manager,o=unique"
 rootpw         secret
-index          objectClass     eq
-index          cn,sn,uid       pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid       pres,eq,sub
+#hdb#index             objectClass     eq
+#hdb#index             cn,sn,uid       pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid       pres,eq,sub
 
 overlay                        unique
 unique_ignore          o cn sn ou objectClass

diff --git a/tests/data/slapd-whoami.conf b/tests/data/slapd-whoami.conf
index cc82bbcafbd2633388a83f0c18f001abe9abbcca..c24b781629587d35b3dcf30963a65039a7263c11 100644 (file)
--- a/tests/data/slapd-whoami.conf
+++ b/tests/data/slapd-whoami.conf
@@ -57,7 +57,11 @@ suffix               "dc=example,dc=com"
 directory      ./testrun/db.1.a
 rootdn         "cn=Manager,dc=example,dc=com"
 rootpw         secret
-index          objectClass     eq
-index          cn,sn,uid       pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid       pres,eq,sub
+#hdb#index             objectClass     eq
+#hdb#index             cn,sn,uid       pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid       pres,eq,sub
 
 #monitor#database monitor

diff --git a/tests/data/slapd.conf b/tests/data/slapd.conf
index 45283e55e20de2700af15c4a88abe117cb35a9ed..2d3be6b33ff35575c43c51cf6b226b329b97a684 100644 (file)
--- a/tests/data/slapd.conf
+++ b/tests/data/slapd.conf
@@ -38,7 +38,9 @@ suffix                "dc=example,dc=com"
 directory      ./testrun/db.1.a
 rootdn         "cn=Manager,dc=example,dc=com"
 rootpw         secret
-index          objectClass     eq
-index          cn,sn,uid       pres,eq,sub
+#bdb#index             objectClass     eq
+#bdb#index             cn,sn,uid       pres,eq,sub
+#ldbm#index            objectClass     eq
+#ldbm#index            cn,sn,uid       pres,eq,sub
 
 #monitor#database monitor

diff --git a/tests/data/test.schema b/tests/data/test.schema
index 373d8ca10f8f8e20b02edbf4192146ee3647dde1..3e37b206138251bed76dac566148c96783bf68e2 100644 (file)
--- a/tests/data/test.schema
+++ b/tests/data/test.schema
@@ -44,6 +44,18 @@ attributetype ( 1.3.6.1.4.1.4203.666.1.37
        syntax 1.3.6.1.4.1.1466.115.121.1.24
        single-value )
 
-objectClass ( 1.3.6.1.4.1.4203.666.1.38
+attributetype ( 1.3.6.1.4.1.4203.666.1.38
+       name 'testObsolete'
+       obsolete
+       equality booleanMatch
+       syntax 1.3.6.1.4.1.1466.115.121.1.7
+       single-value )
+
+objectClass ( 1.3.6.1.4.1.4203.666.3.15
        name 'testPerson' sup OpenLDAPperson
        may testTime )
+
+objectClass ( 1.3.6.1.3.1.4203.666.3.16
+       name 'obsoletePerson'
+       obsolete auxiliary
+       may ( testObsolete ) )

diff --git a/tests/run.in b/tests/run.in
index 0754ba59d74323802ce0c230b9f802421424913e..57adb1c58745ea3260d5403600f3cb40aa4b5134 100644 (file)
--- a/tests/run.in
+++ b/tests/run.in
@@ -113,6 +113,9 @@ while test $# -gt 0 ; do
 done
 
 BACKENDTYPE=`eval 'echo $AC_'$BACKEND`
+if test "x$BACKENDTYPE" = "x" ; then
+       BACKENDTYPE="unknown"
+fi
 export BACKEND BACKENDTYPE WAIT KILLSERVERS PRESERVE USERDATA
 
 if test $# = 0 ; then

diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
index 5ba3b9d9126f1b93663752ce811db1d5fb429cbe..06cbe3120594bb894b4d40906c1a73b4226622ed 100755 (executable)
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@@ -27,7 +27,7 @@ if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" != x"no" ] ; then
        if [ x"$USE_SASL" = x"yes" ] ; then
                USE_SASL=DIGEST-MD5
        fi
-       SASL_MECH="\"mech=$USE_SASL\""
+       SASL_MECH="\"saslmech=$USE_SASL\""
 else
        SASL="nosasl"
        SASL_MECH=

diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 5e631b8ae4409a0e35b18e82e8c4fac46428752a..2596181bbfc06979301bcf783d7d2d4f473c4932 100755 (executable)
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -86,6 +86,7 @@ CHAINCONF2=$DATADIR/slapd-chain2.conf
 GLUESYNCCONF1=$DATADIR/slapd-glue-syncrepl1.conf
 GLUESYNCCONF2=$DATADIR/slapd-glue-syncrepl2.conf
 SQLCONF=$DATADIR/slapd-sql.conf
+SQLSRMASTERCONF=$DATADIR/slapd-sql-syncrepl-master.conf
 TRANSLUCENTLOCALCONF=$DATADIR/slapd-translucent-local.conf
 TRANSLUCENTREMOTECONF=$DATADIR/slapd-translucent-remote.conf
 METACONF=$DATADIR/slapd-meta.conf
@@ -209,7 +210,9 @@ SLAPADDLOG1=$TESTDIR/slapadd.1.log
 SLURPLOG=$TESTDIR/slurp.log
 
 SEARCHOUT=$TESTDIR/ldapsearch.out
+SEARCHOUT2=$TESTDIR/ldapsearch2.out
 SEARCHFLT=$TESTDIR/ldapsearch.flt
+SEARCHFLT2=$TESTDIR/ldapsearch2.flt
 LDIFFLT=$TESTDIR/ldif.flt
 TESTOUT=$TESTDIR/test.out
 INITOUT=$TESTDIR/init.out
@@ -264,6 +267,7 @@ SQLWRITE=$DATADIR/sql-write.out
 TRANSLUCENTOUT=$DATADIR/translucent.search.out
 METAOUT=$DATADIR/meta.out
 METACONCURRENCYOUT=$DATADIR/metaconcurrency.out
+MANAGEOUT=$DATADIR/manage.out
 
 # Just in case we linked the binaries dynamically
 LD_LIBRARY_PATH=`pwd`/../libraries:${LD_LIBRARY_PATH} export LD_LIBRARY_PATH

diff --git a/tests/scripts/test008-concurrency b/tests/scripts/test008-concurrency
index 080c1d5db676d19a6f422d34aa8d9890d4e63ba0..9c5df795155476733745020e8273e5f6eaa42f8b 100755 (executable)
--- a/tests/scripts/test008-concurrency
+++ b/tests/scripts/test008-concurrency
@@ -20,7 +20,7 @@ mkdir -p $TESTDIR $DBDIR1
 
 echo "Running slapadd to build slapd database..."
 . $CONFFILTER $BACKEND $MONITORDB < $CONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED -d -1 2> /tmp/slapadd.log
+$SLAPADD -f $CONF1 -l $LDIFORDERED -d -1 2> $SLAPADDLOG1
 RC=$?
 if test $RC != 0 ; then
        echo "slapadd failed ($RC)!"